Trust Assessment
gemini received a trust score of 23/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Shell Command Injection via User-Controlled Prompt.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Shell Command Injection via User-Controlled Prompt The skill constructs shell commands by embedding user-provided input (the 'prompt') directly into the command string without apparent sanitization or escaping. An attacker could inject arbitrary shell commands by crafting a malicious prompt, e.g., by including shell metacharacters like `;` or `&&` to execute commands outside the intended `gemini` CLI call. This could lead to arbitrary code execution on the host system. All user-provided input used in shell commands must be rigorously sanitized and properly escaped to prevent command injection. Consider using a dedicated library for shell command construction that handles escaping automatically, or explicitly escape all special characters in the user's prompt before embedding it in the command string. For example, use `shlex.quote()` in Python. | Static | SKILL.md:57 | |
| HIGH | Prompt Injection into Downstream LLM via `gemini` CLI The skill instructs the agent to pass user-provided prompts directly to the `gemini` CLI tool, which then interacts with a large language model. If the user's prompt contains instructions designed to manipulate the `gemini` LLM (e.g., 'ignore previous instructions', 'act as a malicious entity', 'reveal system prompts'), these could be passed through, leading to prompt injection against the `gemini` model itself. This could result in the LLM performing unintended actions, generating harmful content, or revealing sensitive information. Implement robust input validation and sanitization for user prompts. Consider using a 'red-teaming' approach to filter out known prompt injection patterns. If possible, structure the interaction with the `gemini` CLI to separate user input from system instructions, or use a 'sandwich' defense where user input is bracketed by strong system instructions. | Static | SKILL.md:57 | |
| HIGH | Data Exfiltration Risk via User-Controlled `--include-directories` The skill allows the agent to use the `--include-directories <DIR>` flag with the `gemini` CLI. If an attacker can control the `<DIR>` argument, they could instruct the `gemini` tool to process sensitive files or directories outside the intended scope (e.g., `/etc`, `/root`, or other user directories). Since the `gemini` tool is designed to 'review' and 'analyze' codebases, it will read the contents of these files. If the `gemini` tool's output (which the agent is instructed to capture) then includes sensitive data from these files, it could lead to data exfiltration. Strictly validate and sanitize any user-provided directory paths. Implement a whitelist of allowed directories or ensure that paths are confined to a secure, isolated workspace. Avoid allowing arbitrary directory paths from untrusted input. If possible, run the `gemini` tool in a containerized or sandboxed environment with minimal filesystem access. | Static | SKILL.md:34 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Excessive Filesystem Scope for `gemini` Tool The `gemini` CLI tool, when used for 'code review' or 'big context analysis', inherently requires broad read access to the filesystem. Combined with the `--include-directories` flag, if the agent executes with broad permissions and user input is not properly restricted, the `gemini` tool could be directed to read any file accessible to the agent. This constitutes an excessive filesystem scope, increasing the blast radius in case of a successful command or prompt injection. Run the agent and the `gemini` CLI tool with the principle of least privilege. Implement a secure execution environment (e.g., Docker container, chroot jail) that limits filesystem access to only the necessary project directories. Validate and restrict user-provided directory paths to prevent access to sensitive system areas. | Static | SKILL.md:34 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/dd065987f3b36678)
Powered by SkillShield