Skillv1.0.2

ClawScan security

deep-research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 9, 2026, 8:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required GEMINI_API_KEY are coherent with its stated purpose (running a Gemini deep-research agent); there are no unexplained credential or install demands, but review the npm dependency and treat your API key as sensitive.
Guidance: This skill appears to do what it says: run a Gemini deep-research agent using your GEMINI_API_KEY and the @google/genai SDK. Before installing/using: (1) confirm you install @google/genai from the official npm package or provide a vetted local SDK path, (2) treat GEMINI_API_KEY as sensitive—use a scoped/limited key if possible and rotate it after use, (3) be aware stderr includes intermediate agent 'thoughts' (may reveal internal chain-of-thought), so avoid exposing stderr content to end users without review, and (4) run the script in an isolated environment if you have any doubts about provenance. If you want higher assurance, review the included deep-research.mjs source (already inspected here) and verify the npm package contents match upstream releases.

Purpose & Capability: okName and description claim a Gemini deep-research agent and the skill requires a GEMINI_API_KEY and the @google/genai SDK (or an explicit SDK path). Those requirements match the stated purpose.
Instruction Scope: noteSKILL.md instructs running the included deep-research.mjs with GEMINI_API_KEY in the environment, and explicitly disallows reading local config files. It also warns not to display the API key. Note: the script intentionally prints intermediate 'thinking summaries' to stderr (agent internal summaries), which may reveal chain-of-thought details; this is expected for debugging/progress but may leak internal reasoning if you present stderr output directly to end users.
Install Mechanism: noteThere is no install spec; the script dynamically imports '@google/genai' or a user-provided SDK path. This is low-risk but means the runtime must have the npm package installed from the registry (or a trusted local build). Verify the package source before installing.
Credentials: okThe only required credential is GEMINI_API_KEY (and an optional GOOGLE_GENAI_SDK_PATH). No unrelated secrets, config paths, or extra credentials are requested.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or persistent system privileges, nor does it modify other skills' configs. It runs as an invoked script only.