searching-web
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The script
scripts/web-search.shtakes the user-provided search query and interpolates it directly into a prompt string for thegeminicommand. This creates a direct injection vector where a user can provide instructions that override the intended behavior of the tool. - [COMMAND_EXECUTION]: The
geminicommand is executed with the--yoloflag. In many AI CLI tools, this flag permits the model to execute suggested shell commands or perform system actions without manual confirmation. When combined with the prompt injection vulnerability mentioned above, an attacker could trick the tool into executing harmful system commands (e.g., file deletion or credential theft). - [INDIRECT_PROMPT_INJECTION]: This skill possesses a significant attack surface for indirect injection.
- Ingestion points: The
$SEARCH_QUERYvariable inscripts/web-search.shaccepts untrusted data. - Boundary markers: There are no delimiters or instructions used to separate the user query from the system's instructions.
- Capability inventory: The skill executes the
geminiCLI with automation permissions (--yolo). - Sanitization: No sanitization or validation is performed on the search query before it is passed to the command line.
Recommendations
- AI detected serious security threats
Audit Metadata