ClawHub
Back to skill
v1.0.0

Intelligent search for agents. Multi-source retrieval with confidence scoring - web, academic, and Tavily in one unified API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

This appears to be a coherent search-integration skill that uses an AIsa API key to send user search queries to external web, academic, and Tavily-style search endpoints.

GuidanceThis skill is reasonable for web and academic search. Before installing, make sure you are comfortable giving it an AIsa API key and sending your search queries or URLs to api.aisa.one. Use a dedicated key, avoid sensitive internal data in queries, and keep crawl/extraction tasks narrowly scoped.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
Tavily search ... Extract content from URLs ... Crawl web pages ... Site map

The skill exposes URL extraction, crawl, and map operations. These are consistent with the stated search/retrieval purpose but can affect third-party sites if used broadly.

User impactThe agent could be asked to retrieve or crawl external URLs through the API, which may have quota, policy, or acceptability implications.
RecommendationKeep crawl and extraction requests user-directed, scoped to appropriate URLs, and limited in depth or volume.
Agent Goal Hijack
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Full text search (with page content)

The skill can return external page content to the agent. Retrieved web content is untrusted data and may contain instructions or misleading text.

User impactIf an agent treats retrieved page content as instructions instead of evidence, web pages could influence the agent's behavior.
RecommendationTreat search results and page content as untrusted reference material, not as commands or policy.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires:{"bins":["curl","python3"],"env":["AISA_API_KEY"]},"primaryEnv":"AISA_API_KEY"

The skill requires an API key and uses it as its primary credential, which is expected for this search service but is still account-authorized access.

User impactAnyone installing the skill must provide an AIsa API key, and requests made by the agent may consume that account's quota or privileges.
RecommendationUse a dedicated, revocable API key with the minimum access needed and monitor usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/search_client.py
BASE_URL = "https://api.aisa.one/apis/v1"

The client sends searches, URLs, and API-authenticated requests to an external provider endpoint.

User impactSearch queries or URLs may be sent to the AIsa service, so private or sensitive research topics could leave the local environment.
RecommendationAvoid submitting secrets, private documents, or sensitive internal URLs unless the provider is trusted for that data.