claude-use-gemini-acp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly delegates work to the Gemini CLI (SKILL.md) and states it can do "real-time Google Search grounding", and the script spawns gemini-cli with --acp and --yolo (scripts/gemini-delegate.mjs), which allows Gemini to autonomously fetch and act on untrusted web content whose instructions can materially influence outputs and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill spawns "pnpm dlx @google/gemini-cli@" at runtime, which fetches and executes remote code from the npm package @google/gemini-cli (e.g. https://registry.npmjs.org/@google/gemini-cli) and is required for the skill to handle prompts via Gemini, so it is a runtime external dependency that executes remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill spawns an external Gemini CLI subprocess with the "--yolo" auto-approve flag and explicitly permits filesystem/tool access (including referencing absolute paths), which enables the delegated model to run arbitrary tool calls that can modify system state even though the prompt doesn't explicitly request sudo or user creation.