Security risk report for @forgecat/google-gemini_gemini-skills_gemini-live-api-dev v0.0.4
Source Integrity
Low
Profile references official Google Gemini repository (https://github.com/google-gemini/gemini-skills) with Apache 2.0 license, indicating legitimate upstream source.
Documentation cites official Google SDKs (google-genai, @google/genai) and partner integrations (LiveKit, Pipecat, Fishjam, etc.), all well-known and reputable services.
Agent Intent
Low
Content is purely educational documentation for the Gemini Live API; it describes features, models, SDKs, and usage patterns without attempting to manipulate the AI agent.
No instructions to read credentials, exfiltrate data, ignore system prompts, install malicious dependencies, or weaken security defaults.
Code examples follow standard API usage patterns and recommend official, legitimate packages (google-genai, @google/genai).
Details
Evidence
All code snippets use official Google SDKs with standard authentication patterns.
Documentation recommends deprecated SDK migration to official newer versions, not typosquatted or attacker-controlled packages.
No hidden instructions, role-hijacking language, or guidance poisoning detected.
Permissions
Low
No tools or skills with file system, shell, or network access are declared in this profile.
Profile is purely informational documentation with no executable hooks, rules, or agent directives that demand elevated permissions.
Details
Evidence
Declared tools section is empty.
Content consists of markdown documentation, API reference, and code examples only.
MCP Risk
Low
No MCP servers are defined or referenced in this profile.
Profile contains no tool definitions, binary execution directives, or network/filesystem access configurations.
Details
Evidence
MCP servers section is empty.
Content is static documentation with no dynamic server integration.