Back to skill
Skillv1.0.2
ClawScan security
A google search powered by scrapingdog · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 7:39 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment access are consistent with a simple ScrapingDog-backed Google search CLI and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears to do exactly what it says: run a bundled Python script that sends your query (and SCRAPINGDOG_API_KEY) to api.scrapingdog.com and returns results. Before installing: 1) Be comfortable providing your ScrapingDog API key (requests to the API include that key). 2) Avoid sending sensitive secrets or private data in queries because they will be transmitted to ScrapingDog. 3) Confirm you trust the skill source (homepage unknown) or review the included script — it's short and readable. 4) The SKILL.md suggests pip installing 'requests' if missing; prefer to install packages in a controlled environment (venv) rather than system-wide. If you want extra caution, rotate your ScrapingDog key after testing or create a restricted key on the ScrapingDog side if available.
Review Dimensions
- Purpose & Capability
- okName/description (Google searches via ScrapingDog) matches the included script and required environment variable. Required binary (python) and SCRAPINGDOG_API_KEY are appropriate and proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent only to check SCRAPINGDOG_API_KEY, resolve and run the bundled script, and present results. It does not instruct the agent to read unrelated files, other env vars, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only). The SKILL.md suggests installing the well-known 'requests' Python package with pip if missing — this is a minimal, expected dependency.
- Credentials
- okOnly SCRAPINGDOG_API_KEY is required (declared as primaryEnv). That key is necessary to call the ScrapingDog API; no unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated persistence or attempt to modify other skills or system-wide settings. Normal autonomous invocation is enabled by platform default and is not combined with other red flags.