gemini
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is designed to process untrusted external data, including 'entire codebases' and 'architectural plans'. It explicitly directs the agent to use
--approval-mode yoloor-yfor automated tasks, which 'auto-approves all tools'. This creates a critical Indirect Prompt Injection surface (Category 8). An attacker could embed instructions in a codebase that, when processed by Gemini in 'yolo' mode, would be executed automatically without human intervention. - Ingestion Points: Entire codebases, documentation sets, and architectural plans (specified in 'When to Use' and 'Big Context Processing').
- Boundary Markers: None identified in the prompt templates or command examples.
- Capability Inventory: Full file modification (
auto_edit) and arbitrary tool/command execution (yolo) capabilities. - Sanitization: No evidence of sanitization or instruction filtering for the ingested content.
- COMMAND_EXECUTION (HIGH): The skill facilitates the execution of local tools and commands via the
geminiCLI. By mandating the bypass of approval prompts for background tasks, it grants the model the ability to perform high-impact actions on the host system without a human-in-the-loop, significantly increasing the risk of automated compromise.
Recommendations
- AI detected serious security threats
Audit Metadata