The Agent Skills Directory

[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It facilitates the ingestion of untrusted external data into the agent's context by analyzing entire codebases.
Ingestion points: Found in SKILL.md via commands like gemini -p "@./ ..." and gemini --all_files.
Boundary markers: The skill does not provide or recommend using delimiters (e.g., XML tags or triple backticks) to isolate codebase content from system instructions.
Capability inventory: The tool documentation in references/gemini-cli-help indicates capabilities for file editing, reading, and executing arbitrary tools via extensions and MCP servers.
Sanitization: No evidence of input validation or sanitization of file content is present in the skill instructions.
[COMMAND_EXECUTION]: The skill promotes the use of autonomous execution modes that bypass human-in-the-loop safety checks.
Evidence: SKILL.md explicitly recommends --approval-mode yolo and --yolo, which the CLI help confirms will 'Automatically accept all actions'.
Risk: When combined with the indirect prompt injection surface described above, an attacker could hide instructions in a repository that the agent would then execute autonomously (e.g., deleting files, exfiltrating data, or modifying sensitive configurations).

gemini-cli-integration