baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly fetches and parses live responses and assets from the public Gemini web endpoints (e.g., Endpoint.GENERATE and BATCH_EXEC in scripts/gemini-webapi/constants.ts) — including custom "gems" (scripts/gemini-webapi/components/gem-mixin.ts) and web image URLs (scripts/gemini-webapi/client.ts and types/image.ts) — and then consumes those untrusted third-party responses to populate ModelOutput/ChatSession metadata and choose next requests, so external content can materially influence subsequent behavior.