ClawHub

Answers

v1.0.0

USE FOR AI-grounded answers via OpenAI-compatible /chat/completions. Two modes: single-search (fast) or deep research (enable_research=true, thorough multi-s...

0· 293·4 current·4 all-time
by@0xrichyrich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim AI-grounded answers via an OpenAI-compatible /chat/completions endpoint, and the SKILL.md shows exactly that using https://api.search.brave.com/res/v1/chat/completions. Requiring network access to Brave Search is consistent with the stated purpose.
Instruction Scope
The SKILL.md stays within the stated scope: it provides example requests, parameters, and behaviors (single-search vs research mode). It instructs the agent to send user messages to a third-party API (Brave Search) and to include an API key header. It does not attempt to read local files or unrelated system state. Important: the docs explicitly require an API key and subscription token for Brave Search.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or installed — lowest install risk.
!
Credentials
The SKILL.md examples and auth notes require a Brave API key (e.g., X-Subscription-Token or Authorization: Bearer) and reference an environment variable BRAVE_SEARCH_API_KEY, but the skill metadata lists no required environment variables or primary credential. This mismatch is disproportionate and a metadata integrity issue: the skill will need a secret at runtime but doesn't declare it.
Persistence & Privilege
The skill is not always-enabled and does not request system persistence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
What to consider before installing
This skill appears to call Brave Search's Answers API and will need a Brave API key to work, but the skill's metadata does not declare any required credentials — that mismatch is the main red flag. Before installing: (1) Confirm you trust the skill owner and that the skill metadata is corrected to declare the required BRAVE_SEARCH_API_KEY (or similar) so you know what secret the skill will use. (2) Use a limited-scope or dedicated Brave API key (not a shared or long-lived global secret) and verify billing/quotas on the Brave dashboard. (3) Understand that user prompts and any context you provide will be sent to api.search.brave.com (research mode streams more and runs multiple queries), so avoid sending sensitive data. (4) If you need higher assurance, ask the publisher to update the skill manifest to list required env vars (primaryEnv) and include a homepage/source so you can verify provenance. If you can't verify those, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c0we15rpnr0d345zr8e6p858246q8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments