ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gemini Deep Research

v1.0.0

Performs complex, multi-step research on specified topics, synthesizing web data into detailed markdown reports with progress updates, now integrated into re...

0· 9·0 current·0 all-time
by@jirboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill name/description and the included Python client are coherent: it contacts Google's Generative Language (Gemini) deep-research agent, polls for results, and saves reports. Requiring a Gemini API key is appropriate for this purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and the script explicitly require GEMINI_API_KEY — this metadata omission is an inconsistency.
Instruction Scope
SKILL.md and scripts focus on long-running research: creating an interaction, polling, extracting text, and writing markdown/JSON output. The instructions and code only reference the Gemini API endpoint and local file writes; they do not attempt to read unrelated system files or send data to unexpected external endpoints.
Install Mechanism
There is no install spec or external download; the skill is instruction-only with a bundled Python script. This minimizes installer risk. The script uses Python requests but the package.json is just metadata and there is no remote code fetch.
!
Credentials
The SKILL.md and script require GEMINI_API_KEY (or --api-key) but the registry metadata declares no required environment variables or primary credential. Requesting a single Gemini API key is proportionate to the stated functionality, but the omitted declaration is problematic and could cause surprise or misconfiguration. The script writes output files to disk (default './') which is expected but should be noted.
Persistence & Privilege
The skill is not marked always:true and does not request unusual system privileges. It does not modify other skills or system configuration. Autonomous invocation is enabled by default (normal) but not excessive here.
What to consider before installing
This skill appears to be a straightforward Gemini (Google Generative Language) research client, but the package/registry metadata is inconsistent: SKILL.md and the Python script require GEMINI_API_KEY while the registry lists no required environment variables. Before installing or using: 1) Verify you are comfortable providing a GEMINI_API_KEY (from Google AI Studio) and avoid sharing other unrelated credentials. 2) Prefer running the script in an isolated environment (or container) since it will make network calls to generativelanguage.googleapis.com and write files to the local directory. 3) If you rely on the registry metadata for automated policies, correct the metadata to declare GEMINI_API_KEY as a required secret. 4) If you need stronger assurance, request the publisher identity/homepage or inspect the script locally (it is short and readable) and confirm the API endpoint and behavior meet your expectations.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ynypv7f66apxzw4wh4993x851fm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments