research
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bash command
gemini -y -m <gemini.model> "...your search prompt...". The interpolation of variables (model name and search prompt) directly into a shell string poses a risk of command injection if these values contain shell metacharacters like backticks or semicolons. - [DATA_EXPOSURE]: The instructions direct the agent to read configuration from
~/.claude/.ck.jsonand.claude/.ck.json. Accessing hidden configuration files in the user's home directory is a sensitive operation as these files may contain environment-specific settings or credentials. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves content from external websites via
WebSearchand GitHub repositories viadocs-seeker. This untrusted data is processed and used to influence subsequent agent actions and reports. - Ingestion points: Fetches content from arbitrary URLs and GitHub repositories in SKILL.md (Phase 2).
- Boundary markers: No specific delimiters or instructions to ignore embedded commands in the fetched data are defined.
- Capability inventory: Includes shell command execution via the
geminiCLI and file writing for report generation. - Sanitization: There is no evidence of sanitization or validation of the external content before it is incorporated into the agent's context or used to form shell commands.
Audit Metadata