Gemini Deep Research (J-Claw)

The skill bundle implements a complex, long-running research workflow that involves several high-risk behaviors. It requires installing a third-party extension from a GitHub repository (allenhutchison/gemini-cli-deep-research) and explicitly instructs the agent to extract sensitive API keys from a local .env file (~/.gemini/extensions/gemini-deep-research/.env). Furthermore, it generates and executes background bash scripts (poll.sh) using nohup, which utilize the 'openclaw' CLI to send messages and trigger further agent actions (skill chaining) without direct user supervision. While these capabilities are aligned with the stated goal of automating deep research, the combination of secret extraction, external software installation, and background agent-triggering significantly expands the attack surface.