Back to skill
Skillv1.0.0
ClawScan security
Datayes Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 5:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variable (DATAYES_TOKEN) are consistent with a Datayes semantic search utility and do not request unrelated credentials or perform unexpected network or file access.
- Guidance
- This skill appears coherent: it will run the included Python script and send your DATAYES_TOKEN bearer token to Datayes endpoints (gw.datayes.com). Before installing, make sure you trust Datayes and are willing to provide an API token; use a revocable token and follow least-privilege practices. Because the script prints the raw JSON returned by the API, be aware that returned data may include sensitive content—avoid pasting that output into untrusted places. If you need stricter controls, review or run the included scripts locally to confirm behavior and consider limiting network access or using short-lived tokens.
Review Dimensions
- Purpose & Capability
- okName/description say it's a Datayes semantic search skill; the only required binary is python3 and the only required env var is DATAYES_TOKEN. Those are appropriate and proportional for calling Datayes APIs.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script, to read the token from DATAYES_TOKEN, and not to hardcode tokens. The script only builds a POST to Datayes gptMaterials/v2 and prints the raw JSON response. The instructions do not ask the agent to read unrelated files or send data to other endpoints. (Note: the script outputs raw API JSON, which may contain sensitive material from Datayes.)
- Install Mechanism
- okNo install spec; skill is instruction-only with included Python scripts. No third-party packages are pulled and the script uses only the Python standard library—low installation risk.
- Credentials
- okOnly DATAYES_TOKEN is required. That credential is directly needed for Authorization to Datayes and is justified by the skill's purpose. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system config. It runs only when invoked and does not request permanent elevated presence.