deep-research
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned and not malicious, but it uses a Gemini API key, loads the Google GenAI SDK, and sends research topics to Gemini for long-running research.
This skill looks coherent for Gemini-based deep research. Before using it, install the Google GenAI SDK from a trusted source, protect your GEMINI_API_KEY, avoid sending confidential prompts unless approved, and expect long-running provider-side research that may consume quota.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Gemini account/key quota for research requests.
The skill requires a Gemini API key to run the provider integration. This is expected for the stated Gemini Deep Research purpose, and the artifacts do not show credential logging, hardcoded keys, or local config scanning.
primaryEnv: GEMINI_API_KEY ... export GEMINI_API_KEY="<api_key>"
Use a revocable, appropriately scoped API key and avoid exposing the real key in shared logs, screenshots, or saved command examples.
If an untrusted package version or local SDK path is used, that dependency could execute code in the user's environment.
The helper dynamically imports the Google SDK from npm by default or from an explicit local override path. This is disclosed and purpose-aligned, but the loaded SDK code must be trusted.
const candidates = [process.env.GOOGLE_GENAI_SDK_PATH?.trim(), '@google/genai'].filter(Boolean); ... const mod = await import(specifier);
Install @google/genai from the official npm source, consider pinning/reviewing the version, and only set GOOGLE_GENAI_SDK_PATH to a trusted local SDK file.
Sensitive topics or confidential details included in the research prompt may be transmitted to Gemini.
The user's research query is sent to Google's GenAI Interactions API. This external provider flow is central to the skill and disclosed, with no evidence of unrelated data collection.
const client = new GoogleGenAI({ apiKey }); ... input: query ... await client.interactions.create(params);Do not include secrets or confidential material in research prompts unless that use is acceptable under your organization's data policy.
A research job may take time and consume API quota while it runs.
The script starts a background Gemini deep-research interaction. This matches the stated long-running research purpose and is not hidden, but users should be aware it may run for an extended period.
background: true, stream: useStream
Confirm the research scope before starting, set a reasonable timeout, and keep the interaction ID only as needed for follow-up.