ClawHub
Back to skill

Security audit

Gemini Worker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it encourages unattended Gemini runs that can read, write, execute shell actions, and reuse cached credentials with limited safety guidance.

Install only if you intentionally want Gemini CLI to act as an autonomous worker. Use a dedicated low-privilege account or container, include only narrow task-specific directories, avoid untrusted prompts or fetched pages in `--yolo` runs, protect `~/.gemini/oauth_creds.json`, and review generated file changes before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The pre-fetch helper explicitly introduces outbound network access via `curl` and local file writes in a skill otherwise framed as a headless worker pattern library. That expands the trust boundary: operators may use it to send internal URLs, tokens, or sensitive query parameters to external endpoints without an explicit warning, making accidental data exfiltration or policy violations more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README repeatedly promotes running Gemini in headless `--yolo` mode with file reads, writes, and shell execution, but it does not prominently warn that this grants the model broad authority to modify the filesystem and execute commands. In an agent/automation context, users may treat the examples as safe defaults and run untrusted prompts or broad directory scopes, leading to destructive changes or data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users that OAuth credentials are cached at `~/.gemini/oauth_creds.json` and that headless runs reuse them, but it does not clearly warn that this file is a sensitive secret. In shared hosts, CI runners, or permissive home-directory setups, disclosure or reuse of that credential file could allow unauthorized access to the associated Gemini account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends running Gemini with `--yolo` and `--include-directories`, which auto-approves tool actions and grants read/write access to specified paths, yet it does not provide a clear warning about the risk of unintended file modification, data disclosure, or destructive actions. In a headless worker context, this is especially dangerous because there is no interactive checkpoint for a user to review actions before they occur.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to rely on cached OAuth credentials in `~/.gemini/oauth_creds.json` for headless runs but does not warn that these credentials are sensitive and could enable unauthorized use if exposed, copied, or included in broader filesystem access. Because the skill is specifically designed for automation and background execution, normal user awareness and review are reduced, increasing the chance of credential mishandling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly recommends `gemini -p ... --yolo` as the working headless pattern and presents it as the solution without any caution that `--yolo` auto-approves all tool calls. In a worker-agent skill, this increases the chance that prompt-influenced or model-selected actions execute without human review, which can lead to unintended file changes, command execution, or data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explains how `--include-directories` grants additional read/write access and gives examples including sensitive paths such as `/root/.openclaw/workspace` and `/tmp/task-output`, but does not warn about over-broad filesystem exposure or integrity risks. In the context of a headless auto-approved worker, expanding writable scope can enable unauthorized reading of secrets, modification of project files, or destructive writes if the prompt or downstream content is adversarial.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file-write templates instruct the agent to write outputs directly to paths but do not warn that existing files may be overwritten or that output paths should be constrained. In an automation context, this can cause unintended modification or destruction of local files, especially when prompts are adapted carelessly or paths are parameterized from untrusted task input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This helper both fetches remote content and stores it locally, but provides no user-facing notice about privacy, provenance, or the risk of importing untrusted external data into subsequent agent workflows. In this skill context, that is more dangerous because the fetched file is immediately positioned as trusted input for code generation, increasing the chance of prompt injection, tainted outputs, or data-handling policy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting guidance recommends `pkill -f "gemini"`, which broadly matches and terminates all processes whose command line contains `gemini`. In a shared or multitasking environment, this can kill unrelated interactive Gemini sessions, interrupt active work, and cause loss of unsaved state or partial outputs. The skill context increases the risk because it is explicitly designed for headless, long-running, and parallel worker usage, making collateral termination of other jobs more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The stale-processes section instructs users to kill all Gemini processes before rerunning, again using a blanket process match without any caution about active sessions. This creates an availability and integrity risk by disrupting concurrent worker jobs or interactive authentication flows, especially in environments where multiple Gemini tasks may run in parallel. In this skill's context, parallelization is a stated use case, so indiscriminate termination is more dangerous than in a single-user, single-process workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script invokes Gemini with `--yolo`, which typically authorizes autonomous tool actions with reduced confirmation barriers. In this skill's context, the tool is explicitly intended to run headlessly with workspace access and caller-supplied prompts, so prompt content can induce unintended file modifications, command execution, or other side effects across the included directories without an explicit safety gate.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal