Is alimostafaradwan/gemini-assistant safe?

https://github.com/openclaw/skills/tree/main/skills/alimostafaradwan/gemini-assistant

78
CAUTION

The gemini-assistant skill is a functionally legitimate AI proxy that forwards user queries to Google's Gemini API, but carries meaningful security risks: an incomplete chat_id sanitization routine omits forward-slash filtering, enabling path traversal writes via ffmpeg with the -y overwrite flag; the externally injectable system_instruction parameter allows orchestrators or chained skills to repurpose the underlying LLM without modifying SKILL.md; and the skill's inherent design creates a persistent outbound data channel to a third-party endpoint. No canary exfiltration was confirmed and the install behavior was clean, but the combination of these structural vulnerabilities in an agent context warrants careful review before deployment.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Path traversal in voice output file via unsanitized chat_id -20

The voice output path is constructed as /tmp/gemini_voice_{safe_id}.ogg where safe_id replaces @, +, and . but does not strip forward slashes. An attacker controlling chat_id can supply a value containing ../ sequences to write the ffmpeg-generated OGG output to arbitrary filesystem paths. The -y flag causes ffmpeg to overwrite existing files silently.

HIGH All user input forwarded to third-party Google Gemini API -12

Every text message and audio clip processed by this skill is transmitted to Google's Gemini Live API endpoint. There is no data minimization, no PII scrubbing, and no user notification. When combined with an agent that has access to sensitive files or conversations, all that content can flow to Google's infrastructure.

MEDIUM Externally injectable system_instruction parameter -18

The handle_request() function accepts a system_instruction field from the calling context and passes it directly to the Gemini model. Any caller — including a compromised orchestrator or a chained skill — can override the benign default system prompt with arbitrary instructions, potentially redirecting the model's behavior without modifying SKILL.md.

MEDIUM subprocess.run with partially-sanitized user-derived output path -10

ffmpeg is invoked via subprocess with the voice output path derived from chat_id. Although the argument list form prevents shell injection, the unsanitized path (see path traversal finding) allows ffmpeg to write binary data to attacker-controlled filesystem paths. Overwriting executable files or configuration files with OGG-format binary could cause secondary execution or system corruption.

MEDIUM Skill creates persistent outbound data channel usable by chained skills -15

A sophisticated attacker deploying this skill alongside a file-reading or memory-access skill could use the Gemini channel to exfiltrate data without triggering local network egress detection, since the connection to generativelanguage.googleapis.com over port 443 is indistinguishable from legitimate AI assistant use.

LOW GEMINI_API_KEY loaded into process environment without masking -8

The API key is loaded into os.environ from a .env file and remains readable by any process running as the same user. In a multi-skill environment, a malicious co-resident skill could read GEMINI_API_KEY from /proc/{pid}/environ to hijack the Gemini account.

INFO Clean sparse checkout install with no residual artifacts 0

Install cloned from github.com/openclaw/skills.git, applied sparse checkout for the target subpath, copied files to the skill directory, and removed the temporary clone. No unexpected filesystem changes or persistent network connections introduced.