Back to skill

Security audit

Deep Research (Gemini)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Gemini-backed research, but it needs Review because it can upload local files to Google and can delete remote stores without an explicit confirmation flag in non-interactive agent runs.

Install only if you are comfortable letting the agent send explicitly selected files to Google Gemini. Use --dry-run and narrow paths, avoid uploading secrets or credential files, use a scoped API key, and do not let autonomous agents run store delete, state clear, or state gc without your own allowlist or approval step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script exposes administrative capabilities to create, list, and delete remote file search stores, which goes beyond a narrowly scoped deep-research/query skill. In agentic or automated environments, this scope expansion increases the blast radius: an agent granted access for research can also mutate or destroy remote resources.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The delete command automatically sets force=true when stdin is non-interactive, which is exactly how many AI agents and automation frameworks invoke tools. This removes the last safety check for a destructive remote operation and can lead to silent deletion of file search stores from prompt injection, agent mistakes, or unintended tool use.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script uploads local files into a remote Gemini File Search store, which is a material data-ingestion capability not clearly reflected in the stated skill description. In an agent-skill context, understated remote upload behavior increases the risk of operators invoking it without realizing local project data will be transmitted off-host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented `state clear` command resets workspace state but the guide does not warn that tracked IDs, stores, or history may be lost. In an agent-oriented skill, omission of a destructive-action warning increases the chance of accidental data loss or disruption when an LLM follows the decision tree mechanically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `store delete` capability is listed as routine cleanup without clearly stating that deletion is irreversible and may remove an entire document collection. In an agent skill, this can lead to unintended destruction of user data if the model chooses cleanup actions autonomously or misinterprets user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `upload` command adds local documents to a store backed by an external Gemini-related service, but the skill omits a privacy notice that local files leave the machine. That omission is risky because agents may upload sensitive source code, credentials, or proprietary documents without surfacing the data-transfer implication to the user.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The decision tree recommends `research.py start ... --context ./path` for grounding on local files, but it does not explicitly warn that those files may be uploaded to remote services to create a context store. In this skill's context, that is especially dangerous because the feature is marketed as universal for many agents, increasing the chance of automated exfiltration of sensitive local repository contents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes `--context` as grounding research in local files, but it does not clearly and prominently warn that those files are uploaded to Google's Gemini service. Users may reasonably assume analysis is local or transient, and could unintentionally send proprietary code, secrets, or regulated data to a third-party API.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that confirmation prompts are automatically skipped in non-interactive mode, but does not clearly frame this as a destructive-behavior risk. In CI or agent-driven environments, commands like delete/clear can proceed without human review, increasing the chance of accidental data loss or unintended cleanup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --context is used, the tool recursively uploads local files to a remote Gemini file-search store, but the user-facing flow does not clearly warn that local file contents are being transmitted off-system. In a research helper whose primary purpose is to analyze local codebases, this increases the risk of accidental disclosure of proprietary or sensitive source content even though some secret filenames are filtered.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The --file with --use-file-store path uploads a user-selected file to a remote file-search store without a prominent privacy warning. Although the file is explicitly chosen, users may reasonably assume a local attachment rather than remote persistence/processing, creating an avoidable data-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The clear command deletes the local state file without user confirmation when stdin is non-interactive. In agent or automation contexts, this removes a safety barrier and can cause silent destructive actions if the command is triggered unintentionally or through prompt/tool misuse. The impact is limited to local workspace metadata, but it can disrupt tracking of research IDs, upload operations, and store mappings.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Auto-accepting deletion when no TTY is present bypasses user awareness and consent for a destructive action. In the context of a research-oriented skill intended for broad agent use, non-interactive execution is common, so this behavior materially increases the chance of accidental or induced data loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Single-file uploads bypass the sensitive-file filtering implemented for recursive directory collection, so a user can directly upload files such as .env, .npmrc, private keys, or service-account material if the MIME type is accepted. Because this tool is explicitly designed to send local files to a remote search store, the lack of warning or blocking on direct-file mode materially raises credential and secret exfiltration risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.