Back to skill
Skillv2.0.0
ClawScan security
Unified Search - 统一智能搜索 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 8:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose (routing queries to Baidu, DuckDuckGo, Bing and CoinGecko); it performs local Python script execution and web requests but does not request unrelated credentials or hidden endpoints.
- Guidance
- This skill appears to do what it says: it runs local Python scripts that scrape Baidu/Bing and call the public CoinGecko API, and it can optionally drive the platform browser. Before installing, consider: 1) auditing any other local skill it depends on (the SKILL.md and unified_search.py expect a 'ddg-search' skill in the workspace) because unified_search will invoke that script via subprocess; 2) these scripts perform web scraping and network calls to public sites (rate limits, CAPTCHAs, or site changes can break behavior); 3) run the skill in an isolated or test workspace if you want to inspect runtime behavior (it executes local code with your agent's privileges); and 4) no secrets are requested by this skill, but if you later add features that require API keys, re-evaluate proportionality. Overall the package is coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (Chinese→Baidu, English→DuckDuckGo, crypto→CoinGecko) match the included scripts and examples. The repository contains Python scripts that implement Baidu scraping, Bing scraping, CoinGecko API calls, and a unified entrypoint; these are appropriate for the stated functionality.
- Instruction Scope
- noteSKILL.md instructs the agent/user to run the provided Python scripts and to use the platform browser tool; it also suggests checking the local skills directory for a dependent 'ddg-search' skill. The runtime instructions and examples are concrete (running local scripts, browser actions) and do not ask the agent to read unrelated system files or secrets, but the skill assumes the presence of another local skill (ddg-search) and will call external websites (Baidu, DuckDuckGo/Bing, CoinGecko) as part of normal operation.
- Install Mechanism
- okThere is no install spec; this is an instruction-and-code skill that runs local Python scripts. No external or opaque download URLs or archive extraction are used.
- Credentials
- okThe skill declares no required environment variables or credentials. The code makes unauthenticated requests to public search endpoints and CoinGecko (public API). No secrets or unrelated service credentials are requested.
- Persistence & Privilege
- okFlags show always:false and normal agent invocation allowed. The skill does not request permanent system-wide privileges or modify other skills' configuration. It runs local scripts when invoked.