Back to skill
Skillv1.0.0
ClawScan security
gemini-file · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 12:43 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it calls the Gemini CLI, writes results to a local outputs/ directory, and returns a JSON containing an absolute file path; nothing requested appears disproportionate.
- Guidance
- This skill appears to do what it says: call the Gemini CLI and save results to a local file. Before installing, confirm you trust the gemini-cli Homebrew formula and the gemini executable (it will be invoked by the script). Be aware the skill will write files under its outputs/ directory in the skill folder. The SKILL.md includes a hardcoded example path (/Users/shichen/...), which is a documentation leftover — ensure your agent runs the included script (or adjust the path) rather than an arbitrary path on disk. If you need stronger assurance, inspect the gemini binary you install and review gemini_file_runner.py (it is short and readable) prior to use.
Review Dimensions
- Purpose & Capability
- noteName/description (Gemini CLI one-shot Q&A, summaries, generation) align with the declared requirement of a gemini binary and a brew install of gemini-cli. Minor oddity: SKILL.md uses a hardcoded user-specific path (/Users/shichen/skills/gemini/...) in its examples, which is a documentation artifact but does not match the included script's relative location—this is sloppy but not fundamentally incoherent.
- Instruction Scope
- noteRuntime instructions and the included Python runner stay within scope: they invoke the gemini CLI, capture stdout, save it to a file in the skill's outputs/ directory, and emit a JSON response. Note the SKILL.md example directs running a script from an absolute, user-specific path; if an agent follows that exact path it could fail or run a different file if present. The script itself does not read other files, environment variables, or send data to external endpoints beyond invoking the gemini binary.
- Install Mechanism
- okInstall spec is a single Homebrew formula (gemini-cli) which produces the expected gemini binary — a low-risk, standard mechanism for installing a CLI.
- Credentials
- okNo environment variables, credentials, or config paths are required. The script does not reference secrets or unrelated credentials.
- Persistence & Privilege
- noteSkill does not request persistent/global privileges (always:false). It writes output files under its own outputs/ directory (normal behavior). Users should be aware the skill will create files on disk in the skill folder.