ClawHub
Back to skill
v3.0.1

You.com Web Search & Research API

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This is a coherent You.com API integration guide that uses an expected API key and may help edit or add project dependencies, with no evidence of hidden, destructive, or deceptive behavior.

GuidanceThis appears reasonable for developers who want direct You.com API integration. Before installing, confirm you trust the publisher and endpoints, keep your API key out of code and logs, review any generated code or dependency installs, and treat retrieved web content as untrusted data.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: Read Write Edit Bash(pip:install) Bash(npm:install) Bash(bun:add)

The skill can modify project files and run scoped package-manager install commands; this fits an API integration skill but can change the user's local project environment.

User impactThe agent may edit files or add dependencies while helping integrate the You.com APIs.
RecommendationReview proposed file changes and package installs before approving them, and keep dependency additions limited to what your project actually needs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
All APIs use the same authentication: `X-API-Key` header with the You.com API key.

The skill requires a service API key to call You.com endpoints; this is expected and disclosed, with no evidence of unrelated credential use.

User impactYour You.com API key may be used by generated examples or integrations to make API calls under your account.
RecommendationStore the key in an environment variable such as YDC_API_KEY, avoid committing it to source control, and rotate or revoke it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Base URL: `https://api.you.com` ... Base URL: `https://ydc-index.io`

The skill is designed to send user queries or requested URLs to external You.com API endpoints; this external data flow is disclosed and central to the purpose.

User impactSearch questions, research prompts, and URLs submitted through generated integrations may be sent to You.com services.
RecommendationDo not submit confidential data unless that matches your organization's policy and You.com's terms for API usage.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Search API — Get raw web and news results for a query. You control what happens with the results — feed them into your own LLM ... Contents API — Extract full page content (HTML, Markdown, metadata) from specific URLs.

The skill retrieves web results and page contents for downstream processing; retrieved web content is untrusted context and may contain misleading or adversarial text.

User impactIf search results or crawled pages are treated as instructions rather than data, they could influence an agent or LLM in unintended ways.
RecommendationTreat returned snippets, HTML, and Markdown as untrusted data; validate important sources and do not let retrieved content override user instructions or safety checks.