Back to skill

Security audit

Baoyu Danger Gemini Web

Security checks across malware telemetry and agentic risk

Overview

The skill is largely honest about using a reverse-engineered Gemini Web flow, but it handles Google session cookies and browser state in ways that deserve careful review before installation.

Install only if you are comfortable letting this skill use a Google/Gemini web session. Prefer a dedicated Chrome profile and private data directory, avoid using it with a high-value Google account, do not pass sensitive reference files or prompts, and periodically delete its saved cookies and sessions if you no longer need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises networked generation and clearly relies on environment variables and browser/cookie handling, yet no explicit permissions are declared. That gap undermines least-privilege controls and informed consent, because an agent or user may invoke code with broader capabilities than the manifest suggests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrower than the described operational behavior: beyond generation, it performs browser automation, reuses existing Chrome debugging sessions, reads/writes Google auth cookies, persists chats locally, and may manage Gemini 'Gems'. This mismatch is dangerous because users may authorize a seemingly simple generation skill without realizing it can access privacy-sensitive browser state and stored conversations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code actively connects to an existing Chrome DevTools session or launches Chrome, reads Google/Gemini authentication cookies via CDP, validates them against Gemini endpoints, and persists the cookies locally for reuse. Harvesting browser session cookies is credential-access behavior that can enable account hijacking or unauthorized API use, and it is far beyond what is necessary for a normal text/image generation skill.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation guidance includes broad trigger text such as using the skill whenever image generation backend or Gemini generation is needed. Overly broad routing increases the chance this high-risk skill is auto-selected in situations where a safer, official, or less privileged backend would suffice.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication section notes browser login, cached cookies, and possible reuse of an already-running Chrome/Chromium debugging session, but it does not clearly warn that this may expose privacy-sensitive account data and browser session context. In this skill's context, that omission is especially dangerous because the API is reverse-engineered and the auth flow may access existing local browser state rather than an isolated login process.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The client persists live Gemini authentication cookies to disk via write_cookie_file(...) after initialization, which creates a durable local copy of bearer-style session secrets. If the host is multi-user, compromised, backed up to insecure locations, or the cookie file has weak permissions, an attacker can reuse the cookies to impersonate the user and access their Gemini session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The auto-refresh path writes refreshed __Secure-1PSIDTS cookies back to disk, continuously extending the lifetime of locally stored session material. This increases exposure because a stolen cookie file remains current and usable for longer, making session hijacking more practical.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The save method will attach caller-supplied cookies to whatever URL is stored in this.url and then manually follow up to 10 redirects, recomputing the absolute redirect target each time. Because there is no origin allowlist or check that redirects remain on trusted Gemini/Google domains, an attacker-controlled image URL or redirect chain could exfiltrate authenticated cookies to an arbitrary host, especially significant here because GeneratedImage is explicitly designed to reuse Gemini session cookies.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists authentication cookies to disk in plaintext JSON without applying restrictive file permissions, encryption, or any user-consent boundary. Because these cookies likely grant access to a reverse-engineered Gemini web session, local compromise, accidental backup/sync exposure, or other processes running under the same user could steal them and hijack the account/session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code automatically loads Google cookies from the user's browser via Chrome CDP and later persists working cookies to disk, but there is no consent gate, warning, or scope restriction in this file. Because the cookies involved are authentication cookies (__Secure-1PSID / __Secure-1PSIDTS), this behavior can silently appropriate sensitive credentials and expand access beyond what the caller explicitly supplied.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The request sends authentication cookies in a Cookie header to initialize access against a reverse-engineered web API, yet there is no visible user disclosure or confirmation in this code path. While sending cookies to the intended service is functionally necessary, the lack of explicit consent and the use of harvested or cached cookies increases the risk of unauthorized account use if upstream controls are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
After collecting live Google/Gemini session cookies, the code filters and writes them to a local cookie file, creating a persistent credential cache on disk. Storing reusable session cookies increases the blast radius of compromise because any local attacker, malicious process, or later exfiltration bug can reuse them to impersonate the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code invokes Network.getCookies for Google domains from a browser session and converts the results into a reusable cookie map, which is direct access to sensitive authentication material. There is no clear disclosure or consent gate in this file, and the surrounding behavior suggests intentional session extraction rather than ordinary browser automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code writes the refreshed __Secure-1PSIDTS authentication cookie to a plaintext cache file on disk derived from the SID value. Authentication cookies are bearer secrets, so storing them unencrypted increases the risk of credential theft from local compromise, backups, logs, shared home directories, or permissive filesystem settings.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This function reads an arbitrary local file path and uploads the file contents to a remote endpoint, but the code itself provides no consent check, allowlist, path restriction, or user-visible disclosure before exfiltrating local data. In a skill that is explicitly designed to send prompts and media to a reverse-engineered external Gemini web API, this behavior is more dangerous because other components may pass sensitive local files into this helper without strong trust boundaries or clear user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --sessionId is used, the script automatically persists full user and assistant conversation content to disk in a session file without any explicit runtime disclosure or opt-in at the point of use. In this skill’s context, prompts may include sensitive text, credentials, proprietary data, or image-derived content, so silent transcript retention increases privacy and data exposure risk if local files are later accessed by other users, processes, backups, or malware.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/gemini-webapi/utils/paths.ts:38