deep-research

This skill's manifest describes an expected use-case (CLI script that uses a Gemini API key to run multi-step research) and requires a GEMINI_API_KEY and network access — both reasonable for its stated purpose. The provided fragment contains no code, no download-execute patterns, and no obvious malicious instructions. Primary risks are: (1) handling of the raw API key (must not be logged or forwarded to third parties), (2) possible undisclosed third-party intermediaries if present in the implementation, and (3) privacy/cost concerns because of very high token usage claims. Without the actual implementation (scripts/research.py and any dependencies) we cannot fully validate data flows, TLS/certificate handling, or logging behavior. Review the actual code for: where requests are sent (official Google endpoints only), assurance TLS verification is enabled, no hardcoded or exfiltration endpoints, and that secrets are not logged or forwarded. Overall: likely benign for its stated purpose but review of implementation is recommended before use in environments with sensitive data.