Back to skill
Skillv0.1.2
ClawScan security
Volcengine ARK Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 2:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (ARK_API_KEY) line up with its stated purpose of routing web search queries through Volcengine ARK; there are no signs of unrelated access or hidden endpoints.
- Guidance
- This skill appears to do exactly what it says: call the Volcengine ARK Responses API and format results. Before installing: (1) ensure you trust Volcengine and are comfortable providing an ARK_API_KEY; (2) consider creating a scoped API key with limited permissions and rotation policy; (3) you can test the script with --dry-run to inspect the payload without network traffic; (4) note that optional environment overrides ARK_MODEL and ARK_BASE_URL exist (they are not listed as required env vars in the frontmatter) — if you want to restrict behavior, avoid setting those or review their values; (5) review the bundled script if you need guarantees about logging, retries, or timeouts. Overall the bundle is internally consistent and proportionate to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description request fresh web results via Volcengine ARK and the package requires only python3 and ARK_API_KEY — both appropriate and expected for making API calls to Volcengine's Responses API.
- Instruction Scope
- noteSKILL.md and the bundled script instruct the agent to build and POST a Responses API payload to Volcengine and summarize results. The script reads ARK_API_KEY (declared) and also optionally reads ARK_MODEL and ARK_BASE_URL from environment (these two are not listed in requires.env but are harmless optional overrides). The instructions do not request unrelated files, credentials, or external endpoints beyond the documented ARK endpoint.
- Install Mechanism
- okNo install spec; this is an instruction-only/text-bundle with a single Python script that uses the standard library for HTTP. Nothing is downloaded from arbitrary URLs or written to unusual locations.
- Credentials
- noteOnly ARK_API_KEY is declared as required and is the primary credential — this is proportionate. The script also optionally uses ARK_MODEL and ARK_BASE_URL environment variables (not listed in requires.env), which are convenient overrides but should be noted before deployment.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide configs. It makes network calls only to the Volcengine endpoint and behaves as a normal API client.