The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/gemini-delegate.mjs spawns the Gemini CLI with the --yolo (or -y) flag. This flag is explicitly designed to auto-approve all tool calls requested by the Gemini model. This creates a vector for autonomous command execution or filesystem manipulation on the local host if the model is successfully subverted.
[EXTERNAL_DOWNLOADS]: The skill uses pnpm dlx to dynamically download and execute the @google/gemini-cli package. While the package belongs to a well-known technology company, the use of nightly versions and runtime downloads introduces dependency management risks and increases the impact of potential supply chain issues.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It facilitates a chain where untrusted data processed by the agent can be passed to a secondary model that has been granted autonomous execution permissions.
Ingestion points: Command-line arguments in scripts/gemini-delegate.mjs capture the prompt text.
Boundary markers: Absent. The prompt is passed to the Gemini model as raw text without delimiters or instructions to ignore embedded commands.
Capability inventory: The spawned gemini-cli has access to local filesystem tools and networking, governed by the --yolo auto-approval policy.
Sanitization: Absent. There is no validation or filtering of the prompt text before delegation.
[DATA_EXFILTRATION]: Because the delegated model has autonomous tool access and no user-in-the-loop confirmation (via --yolo), it could be instructed via a malicious prompt to read sensitive local files (e.g., .env, SSH keys, or cloud credentials) and transmit them to an external endpoint via its own toolset.

claude-use-gemini-acp