Skillv0.1.1

ClawScan security

Search Intelligence Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 12:35 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This package appears to implement what it claims — a SearXNG-backed OSINT/advanced search skill — and does not request unrelated credentials or obscure installs, but review remaining source files before trusting it in sensitive environments.
Guidance: This skill is internally consistent with its description: it uses a local or user-provided SearXNG instance (no API keys required) and implements dork generation, intent parsing, and result analysis. Before installing, consider: 1) Run the code in a controlled environment and point it to a SearXNG instance you control (default is localhost). 2) Review the omitted/truncated source files (notably skill.py and strategies.py) for any unexpected network calls, telemetry, or subprocess execution. 3) Be aware that the tool is explicitly designed for OSINT/security research and includes example queries that locate exposed secrets and personal data — using it against systems or people without authorization can be illegal or unethical. 4) The registry metadata vs. SKILL.md shows a minor mismatch (install metadata present in SKILL.md), so prefer installing from a vetted source (your own clone of the repo) rather than an unknown package index build. If you want higher assurance, request a full diff or a reproducible build and scan the remaining files for outbound endpoints or obfuscated code.

Review Dimensions

Purpose & Capability: okName/description (advanced search, dork generation, OSINT, SEO, security scanning) align with the included code: intent parsing, dork generation, a SearXNG HTTP client, and result analysis. The requested runtime pieces (python, httpx) are proportional to the stated purpose.
Instruction Scope: okSKILL.md runtime instructions limit network access to a user-provided SearXNG instance and describe local installation and use. Example usage includes potentially privacy-invasive queries (exposed .env, admin panels, investigating emails/phones), but those examples are consistent with the skill's stated OSINT/security focus and do not instruct reading unrelated local files or environment secrets.
Install Mechanism: noteNo remote binary downloads or obscure installers are present: the package uses normal Python packaging (setup.py, pip install -e .) and a single external dependency (httpx). One minor inconsistency: the registry metadata indicated 'no install spec / instruction-only' while SKILL.md includes pip installation metadata — this is likely a metadata mismatch rather than malicious activity.
Credentials: okThe skill declares no required environment variables or credentials and the code shown uses a configurable SearXNG base URL (default localhost). There are no hard-coded external API keys or telemetry endpoints visible in the provided files. The examples intentionally search for exposed secrets (e.g., API_KEY on GitHub) — that is a feature for OSINT but the skill does not request secrets to operate.
Persistence & Privilege: okNo elevated privileges requested. Flags show always:false and user-invocable:true (normal). The package does not request persistent platform-wide modification or access to other skills' configs in the reviewed files.