ClawHub

Gemini Sub-Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it deserves review because it encourages an auto-approved Gemini coding mode that can change files and run commands while also installing persistent system-wide tooling and credentials.

Install only on a trusted, single-user machine where global Google/Gemini tooling and cached Google credentials are acceptable. Avoid the documented -y auto-approval mode on important repositories or sensitive systems unless you are in a disposable or well-backed-up sandbox, and do not pipe secrets, regulated data, or proprietary code to Gemini unless your policies allow sharing that data with Google.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs users to run shell commands and external scripts, including setup and autonomous CLI usage, yet it declares no permissions. This creates a transparency and policy gap: operators may invoke a skill with command-execution capability without an explicit trust boundary, increasing the chance of unsafe execution in sensitive environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script modifies system package trust and repository configuration under /usr/share/keyrings and /etc/apt/sources.list.d, then performs a system-wide install. For a skill whose stated purpose is using Gemini as a sub-agent, these privileged OS changes exceed the minimum needed and create supply-chain and host-integrity risk if run on a shared or production machine.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script performs a global npm install of @google/gemini-cli, altering the host environment outside the skill directory. While common in setup scripts, this is still a privileged or persistent change not clearly justified by the skill manifest and increases risk from unpinned third-party package installation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that Google/Gemini credentials are cached indefinitely and auto-refresh, but it does not warn about token sensitivity, storage location, revocation, or risks on shared hosts. On a VPS or multi-user machine, persistent cached credentials can be reused by other users or later processes, enabling unauthorized access to the linked Google account.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill recommends Gemini CLI with `-y` 'yolo mode,' which auto-approves all file writes and shell commands, effectively granting an external model unsupervised execution authority. In this context, the skill is specifically for autonomous coding tasks, so prompt injection, bad task framing, or model error could directly lead to destructive commands, data exfiltration, or unsafe code changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently adds a new apt repository, writes system files, updates package indexes, and installs google-cloud-cli without any interactive warning or consent gate. Unprompted privileged modification is dangerous because users may run the script expecting a lightweight skill setup, not host-level package management changes.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The setup writes an executable wrapper into /usr/local/bin, creating a persistent command on the host without confirmation. Although the wrapper appears intended for convenience, silently placing executables in a global PATH location can surprise users and may interfere with existing tooling or policy controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal