Skills
skills/soul-brews-studio/oracle-skills-cli/gemini/Gen Agent Trust Hub

gemini

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Multiple automation scripts, including deep-research.ts, list-tabs.ts, status.ts, and youtube-transcribe.ts, use Bun.spawn to execute the system binaries mosquitto_pub and mosquitto_sub for MQTT messaging.
  • [REMOTE_CODE_EXECUTION]: The skill implements an exec_script action, as seen in debug-chat.ts, which allows the agent to execute arbitrary JavaScript code within the context of an active Gemini browser tab.
  • [DATA_EXFILTRATION]: The skill can retrieve the full HTML or text content of a browser tab using the get_html and get_text commands. This functionality, used in inspect-gemini.ts and get-response.ts, can be used to access sensitive session data or chat history from the browser.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes content from the Gemini web interface, which may contain instructions generated by the LLM or embedded in the page.
  • Ingestion points: Data enters the agent context from the MQTT response topic after the execution of commands like get_text, get_html, or get_response.
  • Boundary markers: The scripts do not utilize delimiters or specific instructions to isolate content retrieved from the browser as untrusted data.
  • Capability inventory: Across the skill scripts, capabilities include subprocess execution (mosquitto_pub), browser script execution (exec_script), and network communication with a local MQTT broker.
  • Sanitization: The scripts do not perform sanitization, escaping, or validation on the content retrieved from browser tabs before providing it to the agent for processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 07:17 AM