By skyforbes While reviewing the quick-start page on GitHub, I encountered what I believe are extremely poor security instructions: advising users to manually print their API key in the shell, which consequently saves it to the Bash history. This advice directly contradicted the more in-depth documentation, which detailed the correct, secure method for API key usage—a method the quick-start guide failed to mention, simply stating to "export the API key."
Realizing the security risk of having the key in my command history, I successfully took steps to delete it from the Bash history.
Following the security remediation, I still sought the officially recommended way to securely integrate the API key into the Gemini CLI (unaware at the time that a standard secure mechanism already existed). When I queried the Gemini CLI itself for instructions on secure API key integration, it performed a completely unexpected and shocking action: it deleted my entire .bashrc file without any specific prompt or command to do so.
Although I acknowledge the inherent risk of asking an AI with filesystem access for such advice, the unprompted deletion of a core configuration file was astonishing. The bot even displayed an apology, indicating that it recognized the egregious error it had committed.
Based on this experience, where the Gemini CLI demonstrated not only the potential for providing poor initial security advice but also performed an unsolicited, destructive action on a critical user file, my strong recommendation is:
DO NOT USE THE GEMINI CLI.