Skillv1.0.0

ClawScan security

Git Federation Searcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 23, 2026, 1:45 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (search multiple Git hosts), but there are inconsistencies and a few implementation choices that could expose credentials or perform unexpected network/system actions; review before installing.
Guidance: This skill appears to implement the advertised functionality, but review and mitigation steps are recommended before installing: - Inspect the full _web_search implementation (the provided snippet is truncated). Confirm whether it invokes shell commands or external endpoints and whether it uses environment variables — this affects injection risk. - Note that API tokens you add are stored in plaintext in instances.json under a hard-coded SKILL_DIR (/root/.openclaw/workspace/skills/git-federation-searcher). If you will add private instances, use least-privilege/read-only tokens and ensure file permissions are restrictive, or modify the code to store secrets safely. - Ensure curl is available on the host or adapt the code to use Python's HTTP libraries; the registry/metadata does not declare curl as a requirement even though the code calls it via subprocess. - Because the skill runs subprocesses to perform network calls, run it in a sandboxed environment (or non-privileged account) if you are unsure about trusting its source. - If you need higher assurance, ask the publisher to: (1) remove hard-coded absolute paths or make them configurable, (2) document any environment variables used (e.g., SearXNG URL), and (3) avoid shell invocation in favor of requests/urllib to reduce command injection risk. If you can retrieve and review the full git_federation_searcher._web_search function and confirm there are no shell/unsanitized string executions there, it would raise confidence. Without that, treat the skill as suspicious and proceed with caution.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md align with the stated purpose (search multiple self-hosted Git instances, add private instances, fallback to web search). However there is a mismatch between metadata and implementation: SKILL.md and the Python code rely on curl/subprocess for API calls, but the registry metadata lists no required binaries. Also meta.json declares 'exec' and 'web_search' permissions which correspond to the use of subprocess/curl and network access — that's expected but not fully documented in the registry fields.
Instruction Scope: noteRuntime instructions stay within the declared purpose (API calls to Git hosts, optional web fallback). The skill reads/writes an instances.json config and search_cache.json in a hard-coded SKILL_DIR and will accept and store API tokens for private instances. That storage and the network scanning behaviour are within the tool's remit but deserve attention because they broaden what the skill touches (local file system and arbitrary network hosts).
Install Mechanism: okThere is no install spec and requirements.txt lists no external packages; the code uses only the standard library and subprocess/curl. No external archive downloads or installers are used. The absence of a declared curl dependency in the registry is an oversight but not an installer risk.
Credentials: concernThe skill requests no environment variables or credentials in metadata, but it stores API tokens provided by the user in plaintext inside instances.json under a hard-coded SKILL_DIR (an absolute path under /root/.openclaw/...). Storing tokens unencrypted on disk is a sensitive operation and the absolute path may be unexpected. The SKILL.md mentions optional SearXNG for fallback but there is no declared env var for configuring its URL; the code snippet shown for the web fallback is truncated and appears to reference an endpoint (127.0.0.1) — this gap reduces confidence that external endpoints and env accesses are fully documented.
Persistence & Privilege: concernalways:false (good). The skill writes persistent config files into a hard-coded workspace path and will persist API tokens and instance data; that is normal for a configuration-capable skill but the absolute /root path and lack of explanation about file permissions increases risk if the skill runs in a multi-tenant environment. The skill does not request to modify other skills or system-wide configs.