Skillv1.0.9

ClawScan security

Kimi Websearch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 1:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credentials line up with a Moonshot/Kimi web-search integration and do not ask for unrelated secrets or risky installs.
Guidance: This skill uses your Moonshot/Kimi API key and sends your prompts/conversation to https://api.moonshot.cn to obtain search results — if you install it, be aware your queries and context will go to that service (and may incur usage/costs). The included Python script itself does not crawl the web locally; it relies on Moonshot's model/tooling ($web_search) to return results and URLs. If you need private/offline searching or do not trust the Moonshot endpoint, do not provide your API key. Otherwise, the requested env vars and the code appear proportionate to the described websearch purpose. Verify you trust the Moonshot provider and that the API key you supply has appropriate scope/permissions and billing limits.

Review Dimensions

Purpose & Capability: okName/description ask for a websearch capability and the skill requests Moonshot/Kimi API keys (KIMI_API_KEY or MOONSHOT_API_KEY). The script calls the Moonshot (api.moonshot.cn) chat/completions API and uses a Kimi model name, so requested credentials and endpoints are coherent with the stated purpose.
Instruction Scope: noteSKILL.md instructs running scripts/web_search.py which in turn calls the Moonshot API. The script does not perform local crawling itself; it relies on the remote model/tooling ($web_search) provided by Moonshot to obtain search results and URLs. This delegation is reasonable for a hosted websearch integration, but you should understand that user queries and the conversation context are transmitted to the Moonshot endpoint.
Install Mechanism: okThere is no install spec that downloads arbitrary code; the skill is instruction-only with a single included Python script. SKILL.md lists a pip dependency on openai which matches the script's imports. No high-risk external download URLs or extract steps are present.
Credentials: okOnly KIMI_API_KEY and MOONSHOT_API_KEY are required (primary is MOONSHOT_API_KEY). Those are expected for a Moonshot/Kimi integration and there are no unrelated secrets requested.
Persistence & Privilege: okThe skill is not forced-always, and does not request elevated persistence or modify other skills or system configs. Autonomous invocation is enabled (default) but not combined with additional concerning privileges.