Cue
ReviewAudited by ClawScan on May 10, 2026.
Overview
Cue’s research purpose is coherent, but its registry/install metadata understates required credentials, code execution, persistent storage, and background monitoring.
Install only if you are comfortable running a Node.js package that stores data in ~/.cuecue, uses dedicated CueCue/Tavily keys, may use notification tokens, and runs periodic monitoring. Verify how to disable background jobs and clean up stored data before installing.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may install it without seeing the real setup, dependency, credential, and runtime expectations in the registry summary.
The registry/install contract says instruction-only with no env requirements, but the supplied artifact contains a runnable Node package with many code files and documented API key use.
Required env vars: none ... No install spec — this is an instruction-only skill ... Code file presence 44 code file(s)
Update registry metadata/install specs to declare the Node package, npm install step, required/optional env vars, external endpoints, persistent storage, and background jobs.
The skill could act through third-party research/search services and notification channels using the user’s credentials.
The skill uses provider API keys and possibly notification-channel tokens, while the registry declares no credentials or env vars.
Requires CUECUE_API_KEY (required), optional TAVILY_API_KEY ... May reuse OpenClaw channel tokens (e.g., FEISHU_*) for notifications
Only configure dedicated, least-privilege keys; ensure FEISHU/OpenClaw notification tokens are explicitly declared and opt-in.
Monitoring may continue running periodically and sending notifications after the initial research request.
The skill describes persistent background monitoring after install, which is purpose-aligned for alerts but needs clear user control, disablement, and metadata disclosure.
Installs cron job running every 30 minutes for monitoring
Require explicit user opt-in for background monitoring, document how to pause/stop it, and declare it in the registry/background capability metadata.
Installing the skill means trusting its local Node.js code and worker processes.
The static scan shows local subprocess execution; this appears expected for asynchronous research workers, but it is not instruction-only behavior.
const researchProcess = spawn('node', [Review the source/package provenance before running it, and avoid installing if you only want a prompt-only skill.
Financial research topics, monitor rules, and logs may remain on disk after use.
The skill stores research tasks, monitor settings, and logs locally for reuse across sessions.
Creates persistent local storage at `$HOME/.cuecue` (user data, tasks, monitors, logs)
Treat ~/.cuecue as sensitive, review its contents periodically, and use the documented cleanup steps when uninstalling.
Your research questions and identifiers may be visible to those external services.
The skill sends research topics, chat IDs, and search queries to external provider APIs as part of its advertised function.
`https://cuecue.cn` | 深度研究 | 研究主题、chat_id ... `https://api.tavily.com` | 新闻搜索 | 搜索查询
Avoid sending confidential financial or business topics unless you trust the providers and their data-handling terms.