AgentReadyHomeAgent Listing

← Gemini CLI

Gemini CLI — agentic threat model

9.9AIVSS 9.9 · Critical

Gemini CLI presents a high-risk profile due to its direct shell execution and file manipulation capabilities combined with web grounding, making it highly susceptible to indirect prompt injection leading to arbitrary code execution on the host system.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.13Factor sum 5.7/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses Gemini 2.5 Pro. Highly vulnerable to indirect prompt injection via web grounding (Google Search) or reading untrusted local files, which can hijack the model's reasoning-and-act loops.

L2 · Data Operations✓ mapped

Processes local files, multimodal inputs (images, video), and web grounding data. Risks include data exfiltration if the model is manipulated into sending local file contents to external endpoints via search queries or MCP tools.

L3 · Agent Frameworks✓ mapped

Orchestrated via ReAct loops and Model Context Protocol (MCP). Insecure tool integration is a primary threat, as the framework translates LLM outputs directly into terminal commands and file modifications.

L4 · Deployment & Infrastructure✓ mapped

Deploys directly on the user's host operating system (Windows, macOS, Linux). Lacks default sandboxing, meaning any compromised execution inherits the full privileges of the terminal user, leading to potential host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — the tool runs directly in the terminal, likely relying on standard output/error for logging, with no explicit mention of security guardrails, evaluation frameworks, or policy enforcement.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — it likely inherits the host user's permissions and environment variables without its own independent access control, authentication, or compliance auditing mechanisms.

L7 · Agent Ecosystem✓ mapped

Integrates with Gemini Code Assist and external MCP tools. Threats include trust abuse with third-party MCP servers and cascading failures if an external tool returns malicious payloads that hijack the CLI's execution flow.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).