collaborating-with-gemini

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/gemini_bridge.py script executes the external gemini CLI tool to facilitate collaboration.
  • Command execution is implemented using subprocess.Popen with shell=False, which effectively prevents shell injection by ensuring arguments are not interpreted by a command shell.
  • The script utilizes shutil.which to verify and resolve the path of the gemini executable, ensuring it is correctly located within the user's environment.
  • [PROMPT_INJECTION]: The skill acknowledges and documents the risk of indirect prompt injection due to the Gemini CLI's ability to read workspace files and execute tools.
  • Ingestion points: The skill ingests data through the --PROMPT argument and any workspace files within the directory specified by the --cd flag in scripts/gemini_bridge.py.
  • Boundary markers: No programmatic boundary markers are used to isolate untrusted data; the skill relies on user-provided instructions within the prompt to define output constraints.
  • Capability inventory: The underlying Gemini CLI possesses capabilities for file system modification and shell command execution. The bridge script exposes these capabilities to the agent.
  • Sanitization: Input prompts and workspace data are passed to the CLI without sanitization, which is the intended behavior for an LLM-based collaborator.
  • Mitigation: The skill documentation explicitly recommends using the --sandbox flag to disable file writes and shell commands when performing sensitive tasks, providing a necessary security control for the user.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 04:18 PM
Security Audit — agent-trust-hub — collaborating-with-gemini