Back to skill
Skillv0.0.1
ClawScan security
Deep Research with Caesar.org · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 3:52 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it is a CLI wrapper for the Caesar research API and only requests the Caesar CLI binary and a CAESAR_API_KEY environment variable which match its stated purpose.
- Guidance
- This skill appears to be a straightforward CLI client for the Caesar research API. Before installing: (1) verify you trust the CAESAR_API_KEY provider and avoid pasting real secrets into public repos; (2) if you build the binary from source, review the repository (already included) or build with 'go install' from the official upstream; (3) ensure the 'caesar' binary you put on PATH is the expected build (to avoid replacing it with a malicious binary); (4) be aware the CLI will send your queries and any provided collection data to https://api.caesar.xyz under your API key, so don't include sensitive secrets in queries or uploaded collections unless you trust the service.
Review Dimensions
- Purpose & Capability
- okThe name/description (Caesar research CLI) matches the declared requirements: it needs a 'caesar' binary and CAESAR_API_KEY. The repository contains a Go CLI that calls https://api.caesar.xyz and implements research, chat, brainstorm, and collections endpoints described in the SKILL.md.
- Instruction Scope
- okSKILL.md instructs installing/building the caesar CLI and setting CAESAR_API_KEY, then running the CLI commands. The runtime instructions only interact with the Caesar API via the CLI and do not direct the agent to read unrelated files, search the filesystem, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- okThere is no automated install spec; SKILL.md suggests 'go install' or building from source. The source is included and uses standard Go tooling. This is a low-risk, traceable install route (no arbitrary downloads or obscure URLs).
- Credentials
- okOnly one environment variable (CAESAR_API_KEY) is required and the code reads exactly that variable for Bearer auth. There are no other credential or config path requirements, so requested access is proportionate to the stated API usage.
- Persistence & Privilege
- okThe skill is not always-included and does not request elevated or persistent system privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed by default (platform default) but combined with no other red flags this is expected.