gemini-cli
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's primary function is to execute shell commands (
gemini,node) with arguments derived from user prompts and AI responses. This includes a 'sandbox' mode (-s) intended for code execution and a 'change mode' for structured file edits, both of which are high-privilege operations. - [REMOTE_CODE_EXECUTION] (HIGH): High susceptibility to Indirect Prompt Injection (Category 8).
- Ingestion points: Reads files and directories via
@pathand@.syntax (referenced inSKILL.md). - Boundary markers: None identified in the skill instructions to distinguish between trusted instructions and untrusted data from the processed files.
- Capability inventory: Can execute shell commands, run sandbox scripts, and perform 'deterministic' file modifications (OLD/NEW blocks).
- Sanitization: No evidence of sanitization or validation of the content retrieved from local files before it is processed by the AI or acted upon by the agent.
- [DATA_EXFILTRATION] (MEDIUM): The skill is designed to send local project data to an external API (Google Gemini). While this is the intended use case, it presents a data exposure risk for sensitive configuration files or proprietary source code if the user or agent inadvertently includes them in the context window.
Recommendations
- AI detected serious security threats
Audit Metadata