baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill autonomously fetches and parses live content from public Gemini/Google endpoints (see Endpoint.GENERATE, BATCH_EXEC, and GemMixin.fetch_gems in scripts/gemini-webapi/, which pulls "custom" gems and web_images/URLs from gemini.google.com and googleusercontent.com), and it directly reads that untrusted/user-generated response data (candidate.text, gems' prompt fields, web image URLs) and uses it to drive generation, candidate selection, image downloads, and subsequent chat actions—allowing third-party content to influence tool behavior.