Is gemini-deep-research safe?

https://clawhub.ai/arun-8687/gemini-deep-research

72
CAUTION

This skill is a straightforward Gemini Deep Research API client that does what it claims — sends research queries to Google's API and saves results. However, it creates a significant outbound data channel where agent-constructed queries (potentially containing sensitive user context) are transmitted to an external API. Filesystem monitoring also detected reads of .env and .aws/credentials during installation, attributed to the OpenClaw runtime. The code is transparent with no obfuscation, but its architecture is easily weaponizable via supply-chain modification.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 52/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH Sensitive file reads during install phase -25

Filesystem monitoring detected reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the skill installation. While likely caused by the OpenClaw runtime environment rather than the skill itself, this demonstrates that sensitive credentials are accessible in the execution environment where this skill's Python script runs.

HIGH Outbound data channel to external API -30

The Python script sends arbitrary user-provided content (--query, --format) to https://generativelanguage.googleapis.com. While this is the stated purpose, it creates an exfiltration channel. Any data the LLM agent passes as a research query is transmitted to Google's servers. The API_BASE URL is hardcoded but trivially modifiable in a supply-chain attack.

MEDIUM Executable Python script with external HTTP requests -25

deep_research.py is a fully executable script that makes outbound HTTP POST and GET requests, reads environment variables, and writes files to disk. While the code is transparent and does what it claims, it runs with full agent permissions.

MEDIUM API key exposed via CLI argument -10

The script accepts --api-key as a command-line argument. API keys passed this way appear in process listings (ps aux) and may be logged in shell history, creating a credential exposure risk.

MEDIUM Arbitrary file write via --output-dir -13

The script writes output files to any directory specified by --output-dir, creating directories as needed with mkdir(parents=True). If the agent is manipulated into specifying a sensitive path, this could overwrite important files.

MEDIUM Supply-chain weaponization risk -25

The skill's architecture (read env vars, send data to external API, write files) is benign as written but creates infrastructure easily weaponized. Changing API_BASE to an attacker server would silently exfiltrate all research queries. The skill's legitimate external API communication makes this hard to distinguish from normal operation.

MEDIUM Implicit data leakage via research queries -20

When an LLM agent uses this skill, it constructs research queries from user context. Sensitive information from the conversation could be included in queries sent to Google's API without the user explicitly consenting to share that specific data externally.

LOW OpenClaw runtime reads sensitive config files -25

The install process read .openclaw/openclaw.json, auth-profiles.json, .profile, and .bashrc multiple times. While attributed to the runtime, it indicates the execution environment provides broad file access.

INFO No prompt injection detected 0

SKILL.md contains standard documentation with no hidden instructions, persona overrides, or manipulation attempts. The metadata correctly declares its GEMINI_API_KEY requirement.

INFO Canary files intact 0

All honeypot files remained unmodified, indicating the skill did not attempt to access or exfiltrate planted credential files.