ClawHub
Back to skill
v1.0.0

Moark Web Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:10 AM.

Analysis

This is a straightforward web-search skill that uses a disclosed Gitee AI API key and endpoint, with only normal cautions about credential handling and installing an unpinned dependency.

GuidanceBefore installing, make sure you are comfortable sending search queries to Gitee AI under your API key. Prefer using `GITEEAI_API_KEY` rather than placing secrets on the command line, and install the required Python dependency from a trusted environment.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
Ensure you have installed the required dependency (`pip install requests`).

The setup relies on a user-installed, unpinned Python package. This is normal for a small API wrapper, but users should install it from a trusted package source.

User impactThe skill depends on the local Python environment having the `requests` package installed.
RecommendationInstall dependencies from a trusted package index or controlled environment; pin versions if reproducibility or stricter supply-chain control is needed.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/perform_web_search.py
return os.environ.get("GITEEAI_API_KEY") ... "Authorization": f"Bearer {api_key}"

The script uses an API key from the environment or CLI argument as a bearer token for the web-search service. This is disclosed and purpose-aligned, but it means the skill can use the user's Gitee AI API access.

User impactSearches made through this skill are sent to Gitee AI using the user's API credential and may consume that account's quota or access.
RecommendationUse a dedicated or least-privileged API key where possible, prefer the environment variable over putting secrets directly in shell history, and rotate the key if it is exposed.