gemini-deepresearch
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and requires the installation of the
geminiCLI from Google's official GitHub repository (github.com/google/gemini-cli). As this is a well-known service provided by a trusted organization, this dependency is considered safe and used as intended for the skill's 'Lite' mode. - [COMMAND_EXECUTION]: The skill executes external commands to perform its primary functions:
- In
scripts/lite_research.sh, it invokes thegeminiCLI tool with user-provided topics and outlines to generate research drafts. - In
SKILL.md, it describes the use ofpythonandbashto run the provided research scripts. - These executions are part of the intended functionality and use standard shell quoting for variables like
$TOPICand$MODEL. - [PROMPT_INJECTION]: The skill exhibits an attack surface for Indirect Prompt Injection (Category 8) due to its core functionality of processing external data:
- Ingestion points: Untrusted data enters the agent context through the
data_dir(scanned recursively indeep_research.py),attachments(PDFs, images, videos), and theoutline.mdfile. - Boundary markers: The prompt construction in
build_research_promptandlite_research.shuses structural labels (e.g., 'Research topic:', 'Research提纲') to delimit content, but lacks explicit instructions to the AI to ignore instructions embedded within the processed files. - Capability inventory: The Gemini Deep Research agent has access to
google_search,url_context, andfile_search(via Google's infrastructure). It can also generate reports and store sessions. - Sanitization: No sanitization or filtering is performed on the content of files uploaded to the
FileSearchStoreor passed as attachments.
Audit Metadata