research
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes the
geminicommand using the--yoloflag. According to the skill's own documentation, this flag "auto-approves file operations (non-interactive)." This is highly dangerous because the input for the command is a research prompt constructed from un-sanitized user input, allowing an attacker to potentially trick the tool into writing, modifying, or deleting files on the host system. - PROMPT_INJECTION (MEDIUM): User-provided topics and context are directly interpolated into the
sessions_spawntask and the subsequentgeminiCLI prompt without any boundary markers (like XML tags) or instructions to ignore embedded commands. An attacker could provide a malicious topic designed to hijack the sub-agent's behavior. - EXTERNAL_DOWNLOADS (LOW): The skill relies on an external binary (
gemini) from thegoogle/gemini-clirepository. While thegoogleGitHub organization is a trusted source, the specific way the tool is invoked with high-privilege flags (--yolo) makes this dependency a security concern. - DATA_EXPOSURE (LOW): Research data is saved to
~/clawd/research/[slug]/research.md. While the intended use is benign, if the[slug]variable is derived from user input without strict validation, it could potentially lead to path traversal or organizational issues on the file system. - INDIRECT PROMPT INJECTION (LOW): The skill has a high-risk attack surface for indirect injection.
- Ingestion points: User-provided research topics and goals in
SKILL.md. - Boundary markers: Absent; user input is directly concatenated into the command string.
- Capability inventory: File system access via
gemini --yolo, session spawning viasessions_spawn, and system notifications viacron. - Sanitization: None detected; user input is trusted implicitly for the CLI prompt.
Recommendations
- AI detected serious security threats
Audit Metadata