Clawhub Skill Search
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a documentation-only guide, but bundled files expose apparent Clawhub and WeChat credentials and include authenticated publishing instructions.
The core skill-search content appears benign, but do not install or share this version until the exposed credentials are removed and revoked. Treat the included publishing/report files as sensitive, and only use a republished package with placeholder credentials and no local auth paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is valid, someone who sees the package could potentially act as the associated Clawhub account, including publishing or modifying content.
The release report includes an apparent Clawhub bearer token and its local config path, even though the skill metadata declares no credential requirement.
**Token**: `clh_BXhiYX...JbHPYIg` ✅
Do not use this package as-is. The publisher should revoke the exposed token, remove it from the package history, and republish without credentials or local auth paths.
A real WeChat app secret could allow unauthorized access to a WeChat publishing integration, and users may mistakenly copy or rely on leaked credentials.
The example uses concrete-looking WeChat App ID and App Secret values instead of placeholders for a publishing workflow.
export WECHAT_APP_ID=wxd3d9...defcd export WECHAT_APP_SECRET=52bae...a6da
Replace these with clear placeholders such as `YOUR_WECHAT_APP_ID` and `YOUR_WECHAT_APP_SECRET`, and rotate the exposed secret if it was real.
A user or another agent could copy these instructions and perform authenticated publishing actions with the exposed token.
The bundled report documents a raw authenticated API upload flow using the embedded token; publishing is an account-mutating action unrelated to ordinary skill search.
$headers = @{ "Authorization" = "Bearer $token" }
$response = Invoke-RestMethod -Uri "https://clawhub.ai/api/v1/skills" -Method PostRemove authenticated upload scripts from the installed skill package, or rewrite them to use user-supplied credentials with explicit warnings and confirmation.