gemini-deepresearch

Pass

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references and requires the installation of the gemini CLI from Google's official GitHub repository (github.com/google/gemini-cli). As this is a well-known service provided by a trusted organization, this dependency is considered safe and used as intended for the skill's 'Lite' mode.
  • [COMMAND_EXECUTION]: The skill executes external commands to perform its primary functions:
  • In scripts/lite_research.sh, it invokes the gemini CLI tool with user-provided topics and outlines to generate research drafts.
  • In SKILL.md, it describes the use of python and bash to run the provided research scripts.
  • These executions are part of the intended functionality and use standard shell quoting for variables like $TOPIC and $MODEL.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for Indirect Prompt Injection (Category 8) due to its core functionality of processing external data:
  • Ingestion points: Untrusted data enters the agent context through the data_dir (scanned recursively in deep_research.py), attachments (PDFs, images, videos), and the outline.md file.
  • Boundary markers: The prompt construction in build_research_prompt and lite_research.sh uses structural labels (e.g., 'Research topic:', 'Research提纲') to delimit content, but lacks explicit instructions to the AI to ignore instructions embedded within the processed files.
  • Capability inventory: The Gemini Deep Research agent has access to google_search, url_context, and file_search (via Google's infrastructure). It can also generate reports and store sessions.
  • Sanitization: No sanitization or filtering is performed on the content of files uploaded to the FileSearchStore or passed as attachments.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 16, 2026, 06:15 PM
Security Audit — agent-trust-hub — gemini-deepresearch