baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly fetches and ingests responses from gemini.google.com (see Endpoint.GENERATE and BATCH_EXEC in scripts/gemini-webapi/constants.ts and the network calls in scripts/gemini-webapi/client.ts) and downloads/parses web/generated images and candidate text (e.g., web_images / generated_images handling), and that returned (potentially user-generated) content is parsed and used as chat output/metadata in scripts/main.ts, so untrusted third-party content can influence subsequent decisions and tool use.