Gemini Guide
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a benign instruction-only Gemini API guide, but following its examples may install Google’s SDK and send API keys, files, or cached documents to Google.
This skill appears safe as an instruction-only Gemini API reference. Before following the examples, use secure secret handling for API keys, install packages from trusted sources, and avoid uploading or caching sensitive files unless you understand Google Gemini’s data handling and retention terms.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user follows the example, their environment will install a third-party SDK package.
The guide recommends installing an external Python package. This is expected for a Gemini API guide, but users should install from trusted package sources and manage versions appropriately.
pip install google-genai # 官方 SDK
Install the SDK from a trusted package index, consider pinning versions in projects, and review dependency policies for production environments.
Users need a Google/Gemini API key to run the examples, and that key can authorize API usage and billing depending on the account configuration.
The example uses a Gemini API key. This credential use is purpose-aligned and shown as a placeholder, with no artifact evidence of hardcoded secrets, logging, or unrelated credential access.
client = genai.Client(api_key="YOUR_API_KEY")
Store API keys in environment variables or a secrets manager rather than hardcoding them, and use least-privilege keys where available.
If users copy these examples with real files, images, video, or audio may be sent to Google’s Gemini service.
The guide shows uploading local media files to the Gemini provider. This is expected for multimodal Gemini usage, but it can transmit user-controlled local content to an external service.
video_file = client.files.upload(file="video.mp4")
Only upload files you are permitted to share with the provider, and review provider data handling terms for sensitive or regulated content.
Documents supplied for caching may remain available to the Gemini service for the cache lifetime and could be reused in follow-up prompts.
The guide demonstrates provider-side context caching for a large document. This is purpose-aligned for cost reduction, but cached content may persist for the configured TTL and be reused in later requests.
client.caches.create(model="gemini-2.0-flash", contents=[large_document], ... ttl="3600s")
Avoid caching sensitive documents unless the provider terms and retention settings are acceptable, and keep TTLs as short as practical.