Skillv2.0.0

ClawScan security

goods-search-v2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 1:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent with a product-search integration, but the package silently requires network credentials (VIKING_AISEARCH_API_KEY / base URL / application id) and ships a .env and client code while its declared metadata lists no required credentials — this mismatch and automatic dotenv loading raise caution before installing.
Guidance: What to consider before installing: - The package contains a Python client that will call an external AISearch service (aisearch.cn-beijing.volces.com by default). To function you must provide an API key (VIKING_AISEARCH_API_KEY) and possibly override the base URL and application id. The skill metadata did NOT declare these required credentials — treat that as a red flag. - The client auto-loads a local scripts/.env file if present. Review or remove that file if you do not want base URLs or IDs set by the packaged file to be used. - The code will send user text, any provided image Data URIs (base64) and contextual fields (e.g., location) to the remote service. Do not allow it to process sensitive text or private images unless you trust the endpoint and the API key's access scope. - If you decide to use it: supply a minimum-privilege API key (scoped/limited quota), confirm the endpoint is from a trusted vendor, and run the scripts in a controlled environment (network egress restrictions, logging review). Also update the skill metadata to declare required env vars so future reviewers are not misled. - Because of the metadata/code mismatch, proceed cautiously; if you need a conclusive safety decision, ask the publisher to clarify why required credentials are not declared and for provenance/ownership of the endpoint.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and bundled Python client implement a shopping search integration (chat/search) against a Viking/Volcengine AISearch endpoint, which aligns with the skill name/purpose. However, the skill metadata claims no required environment variables or credentials while the code enforces VIKING_AISEARCH_API_BASE and VIKING_AISEARCH_API_KEY (and uses VIKING_AISEARCH_APPLICATION_ID). That mismatch (metadata vs. actual runtime requirements) is incoherent and could mislead users about what secrets will be needed.
Instruction Scope: noteRuntime instructions direct the agent to call chat and search APIs and to run scripts/viking_aisearch.py (examples included). The SKILL.md itself does not ask the agent to read arbitrary system files, but the included client code will load a local .env (scripts/.env) and environment variables and will send text and image data (including Data URI images) to the external AISearch endpoints. The instructions permit sending user images and contextual info (e.g., location) to the remote service — users should understand that queries and images may leave the local environment.
Install Mechanism: okThere is no external install spec or remote download; the package is instruction/code-only and only requires the 'requests' dependency listed in requirements.txt. No remote archives or obscure installers are used. This is low installation-risk, but note code files will be present on disk and can be executed.
Credentials: concernThe Python client requires VIKING_AISEARCH_API_BASE, VIKING_AISEARCH_API_KEY and an application ID at runtime and will raise an error if base_url or api_key are missing. Yet the skill metadata declared no required env vars or primary credential. The package also ships a scripts/.env file that pre-populates base URL and application id; that means simply installing the skill could enable outbound calls to the listed AISearch host (though the API key in the included .env is empty). The discrepancy between declared and actual environment/credential needs is a proportionality and transparency concern.
Persistence & Privilege: okThe skill does not set always:true and does not request system-wide privileges. It will not autonomously persist configuration beyond reading/writing environment variables from a local .env when loading, which is limited to its own package directory. Autonomous invocation is allowed (platform default) but is not combined here with excessive privileges.