Back to skill
Skillv1.0.0
ClawScan security
AIsa Tavily Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 7:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable (AISA_API_KEY) are coherent with its stated purpose of querying the AIsa search API and producing multi-source research outputs.
- Guidance
- This package appears internally consistent, but it will send all queries and any extracted URL content to the remote AIsa service (https://api.aisa.one). Before installing, confirm you trust that provider and avoid using sensitive API keys or pasting confidential URLs/content. Use a dedicated, limited-scope AISA_API_KEY where possible, rotate it if needed, and review the script if you want to verify exactly what fields are transmitted (endpoints used include /scholar/search/*, /tavily/*, /sonar*, /scholar/explain, etc.). Because the skill's source/homepage is not provided, double-check provider reputation if you require stronger assurance.
Review Dimensions
- Purpose & Capability
- okName/description ask for multi-source and recent web research; the packaged CLI (scripts/search_client.py) requires only python3 and an AISA_API_KEY and calls AIsa endpoints (api.aisa.one). The requested resources are consistent with the stated capability.
- Instruction Scope
- okSKILL.md instructs running the shipped Python CLI, using repo-relative scripts/, and setting AISA_API_KEY. The runtime instructions and the code limit actions to calling AIsa endpoints and printing results. The script does not instruct reading unrelated local files or other environment variables.
- Install Mechanism
- okNo install spec is provided (instruction-only runtime with a bundled script). Nothing is downloaded or extracted at install time, so there is low install-time risk.
- Credentials
- okOnly AISA_API_KEY is required and declared as the primary credential; this is proportional to a skill that calls a third-party search API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invokable. It does not request or modify other skills or system-wide settings.