note-meta-skill
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill has a high-risk vulnerability surface by processing untrusted data from the public internet.
- Ingestion Points: Untrusted data enters the context via
notebooklm source add [URL]andnotebooklm source add-research(defined inSKILL.md, Stage 1.3). - Boundary Markers: No delimiters or 'ignore embedded instructions' warnings are used in the extraction prompts (
references/extraction_prompts.md). - Capability Inventory: The skill can perform filesystem operations (
mkdir -p) and write files (including scripts) to~/.gemini/antigravity/Skills/(defined inSKILL.md, Stage 3.2 and 3.5). - Sanitization: There is no evidence of sanitization or validation of the content extracted from external sources before it is written to the local skill directory.
- [Remote Code Execution / Dynamic Execution] (HIGH): The skill specifically includes logic to extract and save scripts from internet sources.
- Evidence:
SKILL.md(Stage 2 and 3.5) andreferences/extraction_prompts.md(Section 4) instruct the agent to identify, extract, and save code snippets found in web content. - Risk: An attacker-controlled website could provide a malicious script that the agent extracts and saves to a local directory, where it may be executed in future sessions.
- [Command Execution] (MEDIUM): The skill instructions involve direct environment variable manipulation (
$env:HTTP_PROXY) and filesystem modifications in sensitive user directories (~/.gemini/). While functional, these operations increase the impact of any successful injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata