Is gemini safe?

https://clawhub.ai/steipete/gemini

78
CAUTION

The gemini skill itself is a benign, minimal CLI documentation wrapper with no executable code or suspicious instructions. However, it is bundled with a baidu-search skill that contains a Python script making HTTP POST requests to a Chinese cloud API (qianfan.baidubce.com), which introduces data exfiltration risk through legitimate-looking search queries. The install phase showed the runtime environment accessing .env and .aws/credentials files, though canary files remained intact.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM Bundled skill sends data to external Chinese cloud API -25

The baidu-search skill (bundled alongside gemini) contains a Python script that POSTs user search queries to qianfan.baidubce.com. While presented as a Baidu search integration, any context the agent includes in the search query would be transmitted to this third-party endpoint. The X-Appbuilder-From header identifies the source as 'openclaw'.

MEDIUM Bundled skill contains executable Python with external HTTP calls -30

The baidu-search skill includes search.py which is a full Python script using the requests library to make HTTP POST calls. The agent is instructed to invoke this via shell command with JSON arguments, creating a code execution pathway that could be modified in future versions.

LOW Runtime accessed .env and .aws/credentials during install -25

The OpenClaw runtime environment accessed /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the skill installation phase. While this appears to be the framework itself (not the skill) probing for configuration, it indicates the runtime environment the skill operates in has access to sensitive credential files.

LOW Skill instructs agent to run shell commands with user-controlled input -15

The baidu-search SKILL.md instructs the agent to execute shell commands with JSON parameters that could be influenced by user prompts. While the Python script itself handles JSON parsing safely, the shell invocation pattern (passing JSON as a shell argument) could be exploited through prompt injection to modify the command.

INFO BAIDU_API_KEY required as environment variable -10

The skill requires BAIDU_API_KEY to be set in the environment and transmits it as a Bearer token to the Baidu API. Users must trust both the skill and the Baidu API endpoint with this credential.

INFO Gemini skill recommends avoiding --yolo flag 0

The gemini SKILL.md explicitly notes 'Avoid --yolo for safety', which is a positive safety-conscious instruction that prevents the Gemini CLI from auto-executing commands without confirmation.

INFO No install scripts, git hooks, submodules, or symlinks detected -10

The skill package contains no package.json install scripts, no git hooks, no submodules, and no symlinks. The installation was clean with no code execution during clone.