Gemini Deep Research (J-claw)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s Gemini research workflow is coherent, but it runs an unpinned auto-updating MCP extension with Google credentials and broad environment access, so it needs review before use.
Install only if you trust the Gemini CLI extension source. Review or pin the extension before enabling auto-update, keep unrelated secrets out of the agent environment, confirm the save path and topic, and expect paid Gemini API quota to be used.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that handles research requests and credentials can change later through auto-updates without being reviewed as part of this skill.
The skill tells the user to install an unpinned GitHub extension with auto-update enabled, and the included client later runs that extension as local code.
gemini extensions install https://github.com/allenhutchison/gemini-cli-deep-research --auto-update
Install only from a trusted source, consider disabling auto-update or pinning a reviewed version, and have the skill metadata declare the external dependency.
Any secrets present in the agent environment could become accessible to the spawned extension process.
The spawned MCP server receives the full current environment plus any variables read from the extension .env file, which may include credentials beyond the stated Google API key.
const extEnv = loadEnv(envPath); ... env: { ...process.env, ...extEnv }Limit the child process environment to only the variables required for Gemini Deep Research and declare credential requirements in metadata.
Using the skill runs the installed MCP extension with the user’s local account permissions.
The skill starts a local Node MCP server. This is purpose-aligned, but it is still local code execution.
server = spawn('node', ['dist/index.js'], { cwd: EXT_PATH, stdio: ['pipe', 'pipe', 'pipe']Use only after verifying the installed extension path and source.
Sensitive topics or private details included in the prompt may be shared with the external Gemini service.
The user’s research topic is explicitly sent to Gemini through the MCP workflow.
Research topic (exact wording goes to Gemini — make it clear and specific)
Avoid putting confidential data in research topics unless sharing it with Gemini is acceptable.
A research job may continue running in the background and consume paid API quota while the main chat remains responsive.
The skill intentionally runs a background sub-agent for long-running research, which is disclosed and bounded by the workflow timeout.
Use `sessions_spawn` with `runtime: "subagent"` to run the script in the background so the main session remains responsive.
Confirm the topic and stop or avoid launching the task if you do not want background work or API usage.