baoyu-danger-gemini-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill makes HTTP requests to public Gemini/Google endpoints (e.g., Endpoint.GENERATE/BATCH_EXEC in scripts/gemini-webapi/constants.ts and client.ts) and parses the returned model/candidate content (client.ts, parsing.ts) including web image URLs which it then downloads (scripts/gemini-webapi/types/image.ts and main.ts), so untrusted third‑party content (model responses, web image URLs and potentially custom "gems") is ingested and directly influences the agent's outputs/behavior.