Back to skill
Skillv1.0.1
ClawScan security
Ollama Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 8:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (OLLAMA_API_KEY) are consistent with its stated purpose of calling Ollama's web_search API.
- Guidance
- This skill appears coherent and small, but before installing: ensure you trust the Ollama service and protect your OLLAMA_API_KEY (do not share it). Verify your runtime Node has global fetch (Node 18+ or polyfill) so the script runs correctly. Note the small metadata version mismatch (_meta.json 1.0.0 vs registry 1.0.1) — likely benign but you may want to confirm you have the intended release. If you need stronger guarantees, run the script locally and inspect network traffic to confirm requests only go to https://ollama.com.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the script performs a POST to https://ollama.com/api/web_search and requires only OLLAMA_API_KEY and Node.
- Instruction Scope
- okSKILL.md instructs running the included Node script with a query; the script only reads command-line args and OLLAMA_API_KEY, calls the Ollama API, and prints JSON. It does not access unrelated files, other env vars, or external endpoints.
- Install Mechanism
- okNo install spec; the package is instruction+single script. Nothing is downloaded or extracted during install and no unusual packages or hosts are referenced.
- Credentials
- okOnly OLLAMA_API_KEY is required and declared as the primary credential. No other secrets, tokens, or config paths are requested or used.
- Persistence & Privilege
- okThe skill is not forced always-on, does not modify other skills or system config, and uses normal autonomous invocation defaults.