gemini
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes arbitrary prompt strings and external file contents without isolation. * Ingestion points: The
<prompt>command-line argument and the inclusion of file contents (e.g.,$(cat app.py)) in usage examples. * Boundary markers: Absent. The skill does not implement delimiters or system instructions to distinguish between agent instructions and untrusted data content. * Capability inventory: While the skill itself performs network operations via the Gemini CLI, its output is intended to guide the calling agent's reasoning, which often involves high-privilege file-system and shell access. * Sanitization: No validation or escaping is performed on the input before it is passed to the execution environment. - COMMAND_EXECUTION (LOW): The skill facilitates the execution of a local Python script (
gemini.py). Although this is the defined functionality, it involves executing code from the local filesystem with a high timeout (2 hours).
Audit Metadata