Skillv4.3.0

ClawScan security

Search Viewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 10:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is a local GUI OSINT tool that matches its description, but there are coherence and safety concerns (missing/incorrect dependency declarations, incomplete install instructions, and plaintext storage / arbitrary URL fetch behavior) that warrant review before use.
Guidance: This tool appears to be what it says (an OSINT GUI aggregator) but has several practical and security issues you should consider before installing: - Verify the source repository and review the code (Search_Viewer.py and iconhash.py) yourself or with a trusted reviewer; the package owner is not clearly established here. - The SKILL.md and _meta.json understate dependencies. Before running, inspect imports and install required libraries (shodan, mmh3, configobj, jsonpath, etc.), or run in a disposable environment (VM or container). - API keys are stored in a local config.ini in plaintext. Do not use production/privileged credentials. Use throwaway or scoped API keys where possible and restrict file permissions (chmod 600). Rotate keys after use. - The iconhash feature issues HTTP GET requests to user-supplied URLs. That can be abused to probe internal network services (SSRF-like behavior). Only query URLs you trust and consider running the app on an isolated network. - If you plan to use this for sanctioned testing, ensure you have authorization for targets and comply with legal/regulatory requirements. If you want to proceed: run the app in an isolated VM, confirm and install all actual Python dependencies found in the code, inspect network calls in the source, and avoid entering sensitive credentials until you are comfortable with the code.

Review Dimensions

Purpose & Capability: noteThe code implements a desktop GUI aggregator for Fofa/Hunter/Shodan/Quake/Zoomeye (consistent with the description). However the metadata and SKILL.md list only pyside2 and requests while the code imports additional libraries (shodan, mmh3, configobj, jsonpath, configparser, etc.). This mismatch indicates the provided instructions and metadata are incomplete or out-of-sync with the actual code.
Instruction Scope: concernRuntime instructions tell the user to clone and run the app and to install only pyside2 and requests. The application reads and writes a local config.ini to store API keys (no encryption) and provides UI features that fetch arbitrary URLs (iconhash uses requests.get on user input). Storing API keys in plaintext and fetching arbitrary URLs (which can reach internal resources) are security-sensitive behaviors that the SKILL.md does not adequately warn about.
Install Mechanism: noteThere is no automated install spec (lower platform install risk), but the SKILL.md's pip install line is incomplete relative to the code's imports. Users following the instructions will likely encounter missing-dependency errors or install the wrong set of packages.
Credentials: noteThe skill does not request environment variables or external credentials in the metadata (appropriate). It does, however, require users to supply multiple third-party API keys via the GUI which are stored locally in config.ini in plaintext—this is functionally expected but worth noting because those keys grant network access and should be protected.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide configuration or other skills' credentials. It runs as a local application and keeps configuration in a local file; it does not appear to claim elevated platform privileges.