Back to skill
Skillv1.0.0
ClawScan security
Perplexity Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 6:35 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests, instructions, and bundled client align with its stated purpose of calling AIsa Perplexity Sonar endpoints and the required access (AISA_API_KEY, curl, python3) is proportional.
- Guidance
- This skill will send your queries and the AISA_API_KEY to api.aisa.one. Only install if you trust the AIsa service and are comfortable exposing that API key to the skill. Limit the key's scope if possible, rotate it periodically, and avoid sending highly sensitive or private data through it. You can review the bundled Python script (scripts/perplexity_search_client.py) yourself — it is small and transparent — and run it in a sandbox before allowing autonomous use. Note: curl is listed because SKILL.md includes curl examples; the Python client does not require curl to operate.
Review Dimensions
- Purpose & Capability
- okName/description promise Perplexity/Sonar queries and the skill only requires an AISA API key, Python, and curl for examples; these map to that purpose. Requiring curl is reasonable given the curl examples, though the bundled Python client does not need curl to run.
- Instruction Scope
- okSKILL.md instructs the agent to call the documented AIsa endpoints using either the bundled Python client or curl and only references the declared env var AISA_API_KEY and the local script. There are no instructions to read unrelated files, system state, or other credentials.
- Install Mechanism
- okThere is no install step (instruction-only with a bundled client file). The included Python client is small, readable, and sends requests only to https://api.aisa.one. No downloads from untrusted URLs or archive extraction are present.
- Credentials
- okOnly AISA_API_KEY is required (declared as primaryEnv) which is appropriate for a client that calls a hosted API. The script only reads that env var and no other secrets or unrelated credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or access to other skills' configs. It merely runs a client that contacts the AIsa API.