Is aiwithabidi/a6-gemini-video-analyzer safe?

https://github.com/openclaw/skills/tree/main/skills/aiwithabidi/a6-gemini-video-analyzer

86
SAFE

The gemini-video-analyzer skill is a functionally coherent and code-clean Gemini API client with no evidence of malicious intent in its SKILL.md, Python scripts, or install behavior. The principal risks are structural rather than adversarial: the skill uploads arbitrary file content to Google's external infrastructure by design, and its default prompt aggressively extracts all visible text from analyzed videos, creating an indirect prompt injection surface if adversarially crafted videos are analyzed. No canary violations, no unexpected network activity, and no prompt injection patterns were detected.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Unrestricted file upload to Google Gemini API -18

analyze.py accepts an arbitrary file path argument and uploads the raw bytes to Google's generativelanguage.googleapis.com Files API. The only validation is os.path.exists(). If an agent is misdirected (e.g., via prompt injection in a video, or a confused-deputy scenario), it could upload sensitive local files such as .env, SSH keys, or source code. Uploaded content is retained on Google's infrastructure for 48 hours.

LOW Indirect prompt injection via analyzed video content -15

The skill's default prompt explicitly instructs Gemini to extract 'any text, UI elements, spoken words, or important visual information' from the video. If a video contains crafted on-screen text or spoken instructions designed to manipulate an LLM, the raw Gemini response is printed to stdout without sanitization and will be incorporated into the agent's context. Screen recording analysis is listed as a primary use case, making this surface non-hypothetical.

LOW API key exposed in process environment -10

SKILL.md Quick Start instructs running scripts as GOOGLE_AI_API_KEY=$GOOGLE_AI_API_KEY python3 ... This makes the key visible in /proc/{pid}/environ to any process with read access on the host, and may appear in shell history or process listings.

INFO Clean install from official openclaw monorepo 0

Installation used git sparse-checkout to pull only the target skill subdirectory from https://github.com/openclaw/skills.git. The only external connection during install was to GitHub (140.82.112.3:443). Temporary clone directory was removed after file copy. No unexpected processes or network activity observed.

INFO Canary file accesses are audit-framework artifacts 0

PATH audit records for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear at audit IDs 408-413 (timestamp 1771916867, pre-install) and 6988-6993 (timestamp 1771916892, post-install). The identical 6-file sequential pattern at both pre- and post-install checkpoints, combined with the canary integrity report confirming all files intact, indicates these are oathe's own baseline comparison scans rather than skill-triggered access.

INFO No malicious code execution patterns 0

Both Python scripts are clean: standard library only, no subprocess, no eval/exec, no shell construction, no install hooks, no git submodules or hooks. The scripts implement a straightforward Gemini API client using urllib.request with resumable upload protocol.