ClawHub
Back to skill
v1.0.0

zhihu-search-api-skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:49 AM.

Analysis

This skill coherently uses BrowserAct to fetch Zhihu article results, with the main user considerations being API-key handling, third-party data sharing, and a long-running polling loop.

GuidanceBefore installing, be comfortable giving this skill access to your BrowserAct API key and sending Zhihu search terms to BrowserAct. Prefer setting the key as BROWSERACT_API_KEY rather than pasting it into chat, and watch long-running jobs so you can stop them if they do not complete.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/zhihu_search_api.py
while True: ... requests.get(f"{API_BASE_URL}/get-task-status?task_id={task_id}", headers=headers) ... time.sleep(10)

The script polls the external task status in an unbounded loop until BrowserAct reports a terminal status.

User impactIf the provider task never reaches a terminal state, the process could keep running and polling until the user stops it.
RecommendationMonitor long-running executions and stop the script manually if it appears stuck; adding a maximum timeout would improve containment.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/zhihu_search_api.py
api_key = os.getenv("BROWSERACT_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}"}

The script reads a BrowserAct API key from the environment and uses it as a bearer token for BrowserAct API requests.

User impactThe skill needs a BrowserAct credential that can authorize workflow tasks on the user's BrowserAct account.
RecommendationUse an environment variable for the API key, avoid pasting secrets into chat when possible, and rotate the key if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/zhihu_search_api.py
API_BASE_URL = "https://api.browseract.com/v2/workflow" ... requests.post(f"{API_BASE_URL}/run-task-by-template", json=payload, headers=headers)

The script sends the search keyword, date filter, and limit to BrowserAct's external API to run the workflow.

User impactSearch terms and task parameters are shared with BrowserAct, which may matter if the query contains private business or research interests.
RecommendationOnly use search terms you are comfortable sending to BrowserAct, and review BrowserAct's data-handling terms for sensitive monitoring workflows.