Back to skill
Skillv1.0.8
ClawScan security
Skywork Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 1:35 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables match its stated purpose (running up to 3 web searches via the Skywork API) and do not request unrelated secrets or elevated privileges.
- Guidance
- This skill appears to do exactly what it claims: call the Skywork web_search endpoint using the SKYWORK_API_KEY. Before installing: 1) Verify you trust the Skywork service and its domain (api-tools.skywork.ai) and are comfortable supplying an API key. 2) Store the API key securely (avoid echoing it in shared shells or logs; prefer secure config storage). 3) Be aware the script writes search results to a temp directory—if results may contain sensitive data, clean up or control access to those files. 4) If you have organizational policy about third-party API keys, confirm compliance and quota/cost implications. The code is small and readable; if you want extra assurance, review the scripts locally before running.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), and required env var (SKYWORK_API_KEY) are coherent with a web-search API client. The included scripts implement a simple POST to a Skywork gateway; nothing outside web-search is requested.
- Instruction Scope
- noteSKILL.md tells the agent to run the bundled Python script and to store the API key in environment or config files (~/.openclaw/openclaw.json or ~/.claude/settings.json). That is expected for an API-backed skill, but users should be aware the script writes search results to a temporary directory and that the setup guide suggests echoing the key (which could leak in shared shells or logs).
- Install Mechanism
- okNo install spec; the skill is run from included Python scripts. No network downloads or archive extraction are performed by an installer.
- Credentials
- okOnly one credential is required (SKYWORK_API_KEY) and it is used directly to authenticate requests to the Skywork API. The references explain storing the key in OpenClaw/Claude config which is consistent with primaryEnv usage.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system settings. It only reads the declared SKYWORK_API_KEY environment variable and writes temporary result files.