Skillv1.0.0

ClawScan security

google-image-api-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 7:00 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are consistent with its stated purpose (using BrowserAct to extract Google Images data); the only notable issue is a typo in the declared required binary ('pyhon') and some marketing claims that should be verified with the service provider.
Guidance: This skill appears to do what it says: it calls BrowserAct workflows to extract image metadata and returns the results. Before installing or providing an API key: 1) Fix or verify the required binary: the manifest lists 'pyhon' — make sure your agent environment has Python available and the agent knows to run 'python'. 2) Verify you trust BrowserAct (https://www.browseract.com) — the script will send your search parameters and receive scraped results via their API, so the key grants that service access to run tasks on your behalf. 3) Limit exposure: use a scoped or dedicated API key, monitor usage, and rotate the key if possible. 4) Confirm legality and terms: scraping search results or storing images may have legal/ToS implications in your use case. 5) Be skeptical of marketing claims in SKILL.md (e.g., 'No CAPTCHA' or 'No IP restrictions') — they may not hold in all cases; test with non-sensitive queries first. If you need higher assurance, inspect network logs while running and review your BrowserAct account activity after first use.

Purpose & Capability: noteThe skill's name/description match what the included script does: it calls BrowserAct workflow endpoints to run a Google Images scraping workflow. One incoherence: the declared required binary is spelled 'pyhon' (likely intended to be 'python'), which is a minor but actionable mismatch that could prevent environment checks or automated installs from detecting the real requirement.
Instruction Scope: okSKILL.md instructs the agent to check BROWSERACT_API_KEY, run the included python script with search parameters, monitor stdout logs, and retry once on non-auth errors. It does not ask the agent to read unrelated files, other environment variables, or transmit data to unexpected endpoints.
Install Mechanism: okNo install spec is provided (instruction-only with an included script). The bundled script is small and straightforward; it uses Python and the requests library and makes HTTPS calls to api.browseract.com. There are no downloads from untrusted URLs or archive extraction steps.
Credentials: okOnly BROWSERACT_API_KEY is required, which is appropriate for calling the BrowserAct API. The skill does not request unrelated secrets or config paths. The README correctly instructs to halt if the key is not present.
Persistence & Privilege: okThe skill does not request permanent 'always' inclusion, does not modify other skills or system configs, and does not request elevated privileges beyond running a script and making outbound HTTPS calls.