collaborating-with-gemini
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/gemini_bridge.pyscript executes the externalgeminiCLI tool to facilitate collaboration. - Command execution is implemented using
subprocess.Popenwithshell=False, which effectively prevents shell injection by ensuring arguments are not interpreted by a command shell. - The script utilizes
shutil.whichto verify and resolve the path of thegeminiexecutable, ensuring it is correctly located within the user's environment. - [PROMPT_INJECTION]: The skill acknowledges and documents the risk of indirect prompt injection due to the Gemini CLI's ability to read workspace files and execute tools.
- Ingestion points: The skill ingests data through the
--PROMPTargument and any workspace files within the directory specified by the--cdflag inscripts/gemini_bridge.py. - Boundary markers: No programmatic boundary markers are used to isolate untrusted data; the skill relies on user-provided instructions within the prompt to define output constraints.
- Capability inventory: The underlying Gemini CLI possesses capabilities for file system modification and shell command execution. The bridge script exposes these capabilities to the agent.
- Sanitization: Input prompts and workspace data are passed to the CLI without sanitization, which is the intended behavior for an LLM-based collaborator.
- Mitigation: The skill documentation explicitly recommends using the
--sandboxflag to disable file writes and shell commands when performing sensitive tasks, providing a necessary security control for the user.
Audit Metadata