baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill calls gemini.google.com endpoints (e.g., generate_content in scripts/gemini-webapi/client.ts parses candidate.text and web_images returned by Gemini) and explicitly fetches custom "gems" from gemini.google.com in scripts/gemini-webapi/components/gem-mixin.ts, so it ingests untrusted/public third-party content (including user-created gems and web images) that the agent reads and uses in its workflow.