Back to skill
Skillv1.1.0
ClawScan security
serpshot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 8:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its purpose — it calls the Serpshot search API and only requests a Serpshot API key — with a small note that the runtime assumes Python + requests which are not declared as required binaries or installs.
- Guidance
- This skill appears to do what it says: it sends search queries to Serpshot using your SERPSHOT_API_KEY. Before installing, verify serpshot.com and the API provider are trustworthy for your data, be aware search queries (and results) go to a third party, and understand billing/credits and rate limits. Ensure your agent runtime has Python and the requests library available (SKILL.md examples assume them) or adapt the calls to supported tools. Store the API key securely and revoke it if you later suspect misuse.
Review Dimensions
- Purpose & Capability
- noteName/description match the declared requirement (SERPSHOT_API_KEY) and the SKILL.md shows direct calls to Serpshot endpoints. Minor mismatch: the runtime examples use Python and the 'requests' library but the registry metadata lists no required binaries or install steps; this is a usability/declared-dependency omission rather than a functional mismatch.
- Instruction Scope
- okSKILL.md instructs only how to call Serpshot API endpoints, how to set the API key, expected parameters, and how to handle responses. It does not ask the agent to read unrelated files, access other environment variables, or transmit data to unexpected endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec — lowest-risk delivery. There are no downloads, extract steps, or third-party install sources.
- Credentials
- okOnly a single credential (SERPSHOT_API_KEY) is required and used by the instructions. The key is appropriate for the stated purpose. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill does not request always:true or other elevated persistence. It is user-invocable and allows normal autonomous invocation; this is expected for a web-search integration.