Google Gemini Media
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires a Gemini API key that may incur quota or billing usage under the user's account.
The skill requires authenticated access to the user's Gemini account/API quota. This is expected for the stated integration, but the registry metadata lists no primary credential or required env vars.
Put your API key in `GEMINI_API_KEY`; REST requests use `x-goog-api-key: $GEMINI_API_KEY`
Set the key only in the intended environment, avoid hardcoding it in prompts or files, and use a key scoped and monitored for Gemini API usage.
Images, audio, or video provided to these workflows may be transmitted to Google services for processing.
The skill explicitly supports uploading media to Google's Files API and reusing file URIs for large files or multi-turn workflows.
Files API (upload then reference)... `files.upload(...)` ... Use `file_data` / `file_uri` in `generateContent`
Upload only media you intend to process with Gemini, review applicable Google data handling policies, and delete or limit reuse of uploaded files where appropriate.
Installing the SDK pulls code from the npm ecosystem into the user's project.
The skill suggests installing an external npm package without a pinned version. This is a normal setup step for the Gemini SDK, but users should verify package provenance.
Install SDK (example): ```bash npm install @google/genai ```
Install the official @google/genai package from a trusted registry, consider pinning a version, and follow normal dependency review practices.