The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill instructions interpolate user prompts directly into a shell command: 'gemini ""'. This lack of escaping or sanitization creates a significant risk of shell injection if the prompt contains characters like backticks or dollar signs.\n- [REMOTE_CODE_EXECUTION] (HIGH): The 'gemini extensions install ' command allows the installation of unverified code from external sources, which is a primary RCE vector. Similarly, 'gemini mcp add ' allows persistent registration of arbitrary executable commands within the agent's environment.\n- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is specifically designed to ingest massive amounts of external data (1,000,000 tokens) for repository-scale reviews. Findings: 1. Ingestion points: Source code and documentation read via --include-directories and tools like Glob/Read. 2. Boundary markers: Absent; data is passed directly to the model context. 3. Capability inventory: High; includes Bash execution and 'auto_edit' modes for file modification. 4. Sanitization: None; ingested content is not filtered for embedded instructions.\n- [PROMPT_INJECTION] (MEDIUM): The skill supports a '--yolo' flag and '--approval-mode yolo' which explicitly override safety confirmations. This capability can be abused by malicious instructions to perform autonomous actions without user consent.\n- [EXTERNAL_DOWNLOADS] (LOW): Use of the 'WebFetch' tool allows fetching external content, which could serve as a source for malicious instructions or a mechanism for data exfiltration.

gemini