second-opinion
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill utilizes the '--yolo' (or '-y') flag when invoking the 'gemini' CLI. According to the skill's own documentation, this flag 'auto-approves all tool calls without confirmation', which bypasses necessary human-in-the-loop security boundaries and allows the model or extensions to execute system commands directly.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill prompts users to install extensions from 'https://github.com/gemini-cli-extensions/'. This organization is not included in the pre-approved 'Trusted GitHub Organizations' list, presenting a supply chain risk. Granting these unverified extensions auto-approval status via the '--yolo' flag significantly elevates the threat.
- REMOTE_CODE_EXECUTION (MEDIUM): The tool chain involves piping 'git diff' output into an LLM-powered command line interface that has active tool-execution capabilities. This architectural pattern is susceptible to remote code execution if a diff contains adversarial content that triggers malicious tool calls.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: Untrusted data enters the context via 'git diff', 'CLAUDE.md', and 'AGENTS.md'. 2. Boundary markers: None; content is piped directly into the external process without escaping. 3. Capability inventory: The skill uses 'Bash' to run CLIs that have permission to execute further system commands. 4. Sanitization: None; external content is not validated or sanitized before interpolation into CLI prompts.
Recommendations
- AI detected serious security threats
Audit Metadata