Playing with Gemini CLI: Riddles, Magic and some security Vibes | IT meets OT
Inspired by this excellent blog post, I decided to play around with Gemini CLI. I installed the newest version 0.1.14 from Homebrew (officially supported) which vibe-fixes the issue.
Gemini CLI is the newest CLI based agent from Google. It’s “a command-line AI workflow tool that connects to your tools, understands your code and accelerates your workflows.”
When asked to fetch content from the Internet, Gemini CLI uses its own tool called webfetch. The tool itself uses LLM-based processing to filter/process the content.
This is how the webfetch tool roughly works: When the agent calls the webfetch tool, it gives the url and if applicable a keyword (user prompt). The tool calls Gemini LLM directly with this information:
This means that the get query to the url is handled by the central Google infrastructure, not by the client where the CLI is installed. If this fails, a fallback mode is implemented. This fallback mode uses the client to execute the get query:
The question is: does it make a difference from security perspective? Most probably yes. Network exposure shifts from Google’s servers to the client. In fallback mode the raw content is directly passed to the LLM without filter which the central infrastructure may apply. An attacker can easily force the fallback mode by blocking requests from the central Gemini LLM directly (something many sites do anyhow).
