Gemini Deep Research 1.0.0
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: gemini-deep-research-1-0-0 Version: 1.0.0 The OpenClaw skill 'gemini-deep-research' is designed to interact with the legitimate Google Gemini Deep Research API. It takes user queries and formatting instructions, authenticates using a `GEMINI_API_KEY` (from environment or CLI), and sends requests to `https://generativelanguage.googleapis.com`. The script saves the generated research reports locally as markdown and JSON files. There is no evidence of data exfiltration to unauthorized endpoints, malicious command execution, persistence mechanisms, or prompt injection against the OpenClaw agent itself. The ability to specify output format via `--format` is a feature for guiding the remote AI model, not a vulnerability in the skill's local execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Research requests may consume the user's Gemini API quota or incur costs.
The script uses a Gemini API key for authentication, which is expected for this service but gives the script access to the user's Gemini API quota/account context.
api_key = args.api_key or os.environ.get("GEMINI_API_KEY")Use a dedicated or quota-limited Gemini API key where possible, and prefer the environment variable over passing the key on the command line.
Sensitive research topics or references to private Gemini file-search stores may be shared with the external provider.
The user's query, formatting instructions, and optional file-search-store name are sent to Google's Gemini API endpoint. This is central to the skill's purpose and is disclosed.
requests.post(f"{API_BASE}/interactions", headers=headers, json=payload)Avoid sending confidential information unless your use of Gemini API is approved for that data, and verify any file-search store name before using it.
Local output files may contain sensitive research content or metadata and could be reused or exposed if stored in shared directories.
The full Gemini interaction result is saved to a local JSON file, which may include the query, response, progress metadata, and any context returned by the provider.
json_path.write_text(json.dumps(result, indent=2))
Choose an appropriate output directory and delete or protect generated markdown/JSON files if they contain sensitive information.
A research job may continue running with the provider for minutes or hours and may consume quota while it completes.
The script starts a background Gemini Deep Research interaction and then polls until completion. This long-running behavior is disclosed in the skill description and is aligned with deep research tasks.
"background": True
Use it for intended long-running research tasks, monitor progress, and check provider-side controls if you need to cancel a job.
It is harder to independently verify who published or maintains the skill.
The embedded ownerId differs from the supplied registry Owner ID, and the registry metadata lists the source as unknown with no homepage. This is a provenance ambiguity, not evidence of malicious behavior.
"ownerId": "kn7azq5e6sw0fbwwzdpcwvvjzd7z0x4z"
Review the included script before use and install only if you trust the registry listing or publisher.