gemini-deep-research

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill automates a browser against gemini.google.com (see "Navigate gemini.google.com/app" and "Extract plan text" / "Auto-confirm 'Start research'") and can optionally extract/share via Firecrawl, meaning it ingests untrusted third-party content (Gemini/share pages) and acts on the extracted plan/report as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill programmatically navigates to and extracts plan/report text from Gemini at https://gemini.google.com/app during runtime, and those fetched instructions (the research plan) are used to drive and auto-confirm subsequent agent actions, so this external content directly controls the agent's behavior.