Back to skill
Skillv1.0.0
ClawScan security
Perplexity Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 2:56 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely behaves like a Perplexity web-search wrapper, but the package metadata and SKILL.md disagree about required credentials and dependencies, which is an incoherence the user should understand before installing.
- Guidance
- This skill appears to be a straightforward wrapper around Perplexity's API, but there are metadata inconsistencies you should resolve before installing. Confirm that: (1) you will provide a PERPLEXITY_API_KEY in the environment (the SKILL.md and script require it even though the registry metadata does not list it), (2) your environment has the Python 'requests' package installed or the skill declares how to install it, and (3) you're comfortable with queries and their text being sent to https://api.perplexity.ai/v1/agent (the third-party service will receive user queries and responses). Use a least-privileged API key, review your privacy policy for sending user data to external services, and consider asking the publisher to correct the manifest to explicitly declare PERPLEXITY_API_KEY as the primary credential and list dependencies.
Review Dimensions
- Purpose & Capability
- noteName/description and the included scripts/search.py align with a Perplexity API web-search wrapper. However, the registry metadata states 'Required env vars: none' while SKILL.md and the script require PERPLEXITY_API_KEY; the skill also uses the Python 'requests' library but no dependency is declared.
- Instruction Scope
- okSKILL.md instructs the agent to run scripts/search.py with the user query and present the returned 'answer'. The script only reads PERPLEXITY_API_KEY from the environment and posts the query to https://api.perplexity.ai/v1/agent; it does not access unrelated files or other environment variables.
- Install Mechanism
- noteNo install spec is provided (instruction-only), which minimizes install risk, but the Python script relies on the third-party 'requests' package. The skill does not declare this dependency or provide installation instructions, which is an operational inconsistency (not a direct security exploit, but can cause runtime issues).
- Credentials
- concernSKILL.md and the script require PERPLEXITY_API_KEY (appropriate and proportionate for a wrapper to Perplexity), but the package metadata advertises no required env vars or primary credential. This mismatch means an agent or installer may not surface the required API key and could lead to misconfiguration or accidental leakage if users supply credentials elsewhere.
- Persistence & Privilege
- okThe skill does not request elevated persistence (always:false) and does not modify other skills or system-wide settings. It simply calls an external API at runtime.