gemini-cli
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read and transmit local file content (such as authentication middleware, security-sensitive logic, and system logs) to the external Google Gemini CLI service for analysis. This involves sending potentially sensitive intellectual property or credentials to a third-party LLM provider.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (analyzed source code and error logs) and interpolates it into prompts for the Gemini model without explicit boundary markers or sanitization, creating an attack surface where malicious code comments or logs could influence model behavior.
- Ingestion points: SKILL.md (via
cat,tail, or--all-files), references/models-guide.md. - Boundary markers: Absent; file content is piped directly into the CLI prompt.
- Capability inventory: SKILL.md (shell execution of
geminiCLI), scripts/install-gemini-coach.sh (file copying and permission changes). - Sanitization: Absent; the skill does not escape or filter content before analysis.
- [COMMAND_EXECUTION]: The skill includes shell scripts (
install-gemini-coach.sh,setup-slash-command.sh) that copy files and modify execution permissions (chmod +x) on the user's local system. These scripts reference anassets/directory whose contents are not included in the source package, making the resulting binaries unverifiable. - [EXTERNAL_DOWNLOADS]: The skill instructions guide users to install the
@google/gemini-clipackage via NPM. While this is an official tool from a well-known service provider, it represents a dependency on an external global package.
Audit Metadata