Safety Report

Gemini

Name: Gemini
Rating: 3 (38 reviews)
Author: steipete

@steipete

Gemini CLI for one-shot Q&A, summaries, and generation.

18,987Downloads

799Installs

38Stars

1Versions

CLI & Shell Tools1,805

Security Analysis

medium confidence

Suspicious0.08 risk

The skill is generally consistent with a thin wrapper around the Gemini CLI, but there are metadata inconsistencies (SKILL.md advertises a required 'gemini' binary and a brew install while the registry metadata lists no requirements/install), so verify the CLI source before installing.

Feb 11, 20261 files2 concerns

Purpose & Capabilitynote

The name/description (Gemini CLI for Q&A/summaries/generation) match the SKILL.md instructions which invoke a local 'gemini' binary. However the top-level registry metadata claims no required binaries or install spec, while SKILL.md's embedded metadata lists requires: ['gemini'] and a brew install for 'gemini-cli' — this mismatch is disproportionate and should be resolved.

Instruction Scopeok

Runtime instructions are narrowly scoped: they show example gemini commands, mention a login flow if auth is required, and warn against an unsafe flag (--yolo). The instructions do not request reading unrelated files, environment variables, or sending data to unexpected endpoints.

Install Mechanismnote

SKILL.md embeds a brew install (formula 'gemini-cli') which is a low-risk, common install method. The registry-level metadata, however, reported 'No install spec' — this inconsistency is notable. If you plan to install, verify the brew formula/tap and upstream project (check maintainers, tap URL, and release page) before installing.

Credentialsok

No environment variables, credentials, or config paths are requested, which is proportionate for a CLI wrapper that delegates auth to the CLI's interactive login flow.

Persistence & Privilegeok

Skill does not request always:true or any elevated persistence. It is user-invocable and can be invoked autonomously (platform default), which is expected for a functional skill.

Guidance

This skill appears to be an instruction-only wrapper for a local 'gemini' CLI and is otherwise narrow in scope — but double-check before proceeding: - Confirm the discrepancy: the SKILL.md claims it needs the 'gemini' binary and offers a brew install ('gemini-cli'), yet the registry metadata lists no requirements. Ask the publisher to clarify or update metadata. - Only install the CLI from a trusted source. Inspect the brew formula (tap URL, maintainers, and source tarball) or install from an official release page (e.g., Google-backed project) and verify checksums. - If the CLI prompts you to authenticate, verify what account/provider is used and what tokens/permissions are granted. Prefer interactive auth flows over pasting secrets into a skill. - If you cannot verify the origin of the 'gemini' binary or brew formula, avoid installing it system-wide; consider running in an isolated environment (container or VM) first. If you want, I can: (a) summarize the metadata mismatch to share with the skill publisher, (b) help locate the official gemini-cli brew formula/source for verification, or (c) suggest safer alternatives if you prefer not to install additional software.

Latest Release

v1.0.0

More by @steipete

Gog

672 stars

Github

267 stars

Weather

229 stars

Frontend Design

186 stars

Openai Whisper

173 stars

Nano Banana Pro

164 stars

Published by @steipete on ClawHub