tuzi-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches and ingests content from third‑party endpoints (e.g., Endpoint.GENERATE and BATCH_EXEC at https://gemini.google.com in scripts/gemini-webapi/client.ts and fetch_gems in scripts/gemini-webapi/components/gem-mixin.ts), parses remote candidate text/thoughts and gem prompts, and uses that data to drive outputs, session metadata, candidate selection, and subsequent requests—so untrusted remote content can materially influence agent actions.