Gemini Deep Research
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gemini-deep-research Version: 1.0.0 The skill is designed to interact with the Gemini Deep Research API for complex research tasks. It correctly handles the `GEMINI_API_KEY` by reading it from environment variables or CLI arguments and uses it to authenticate with the legitimate Google API endpoint (`generativelanguage.googleapis.com`). The script saves research reports locally to user-specified or default directories, which is a core function. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the OpenClaw agent, or obfuscation. All observed behaviors are aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You must base trust mainly on the provided files rather than a verifiable upstream project.
The bundled code is visible and no remote installer is present, but the registry metadata does not identify an upstream source or homepage for independent provenance checks.
Source: unknown; Homepage: none
Review the included script before use and prefer a verified upstream source if one becomes available.
The key can access or bill your Gemini account according to its permissions and quota; command-line entry may expose it in shell history or process listings on shared systems.
The script uses a Gemini API key for authenticated calls, which is expected for this service, and also permits passing the key on the command line.
parser.add_argument("--api-key", help="Gemini API key (overrides GEMINI_API_KEY env var)") ... api_key = args.api_key or os.environ.get("GEMINI_API_KEY") ... "x-goog-api-key": api_keyPrefer the GEMINI_API_KEY environment variable or a secret manager, avoid using --api-key on shared machines, and consider a restricted or quota-limited key.
Research prompts and any selected file-search context may be processed by Google's service outside your local environment.
User research queries, and optionally a Gemini file-search store reference, are sent to Google's Gemini Deep Research endpoint.
API_BASE = "https://generativelanguage.googleapis.com/v1beta" ... payload = {"input": query, "agent": AGENT_MODEL, "background": True} ... payload["tools"] = [{"type": "file_search", "file_search_store_names": [file_search_store]}] ... requests.post(f"{API_BASE}/interactions", headers=headers, json=payload)Do not include confidential data or attach a file-search store unless you intend Gemini to process that material.
Local output files may contain sensitive prompts, report contents, retrieved context, or metadata that remains after the run.
The script intentionally saves both the final report and full interaction metadata to local files.
md_path.write_text(report); json_path.write_text(json.dumps(result, indent=2))
Use a private output directory and delete or redact saved markdown/JSON files when they are no longer needed.
A research job can run for minutes or hours and may consume API quota while it is active.
The code starts a background Gemini interaction and polls until it completes or fails, matching the disclosed long-running research purpose.
payload = {"input": query, "agent": AGENT_MODEL, "background": True} ... while True: ... time.sleep(10)Start runs deliberately, monitor Gemini API usage, and stop or cancel provider-side work if you no longer need the research.