second-opinion
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads & Remote Code Execution] (HIGH): The skill directs the agent to install Gemini extensions from 'https://github.com/gemini-cli-extensions/code-review' and 'https://github.com/gemini-cli-extensions/security'. These sources are not part of the trusted organizations list, posing a risk of executing unverified code.
- [Command Execution] (HIGH): The Gemini CLI is invoked using the '--yolo' flag (documented in SKILL.md and gemini-invocation.md). This flag 'auto-approves all tool calls without confirmation', effectively granting the external LLM autonomous execution power over any tools provided by its extensions.
- [Prompt Injection] (LOW): The skill ingests untrusted data from 'git diff' and project files ('CLAUDE.md') and interpolates them into prompts for external models. 1. Ingestion points: 'references/codex-invocation.md' and 'references/gemini-invocation.md' show diff content being piped to stdin. 2. Boundary markers: The skill uses '---' delimiters but lacks instructions for the model to ignore embedded commands. 3. Capability inventory: Uses the Bash tool to run CLIs with autonomous execution enabled (--yolo). 4. Sanitization: No sanitization is applied to input data.
- [External Downloads] (MEDIUM): The skill recommends global installation of the '@openai/codex' and '@google/gemini-cli' npm packages. While these mimic official names, they are third-party dependencies whose integrity cannot be verified during static analysis.
Recommendations
- AI detected serious security threats
Audit Metadata