Skillv1.0.0

ClawScan security

Daum Toy Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 10, 2026, 9:33 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are internally consistent for a small search adapter, but it forwards your DAUM_TOY_SEARCH_API_KEY and all queries to an undocumented third‑party endpoint (daum-perplexity-search-adapter.toy.x.upstage.ai), which may not match user expectations about who will receive their key and query data.
Guidance: Before installing, verify what DAUM_TOY_SEARCH_API_KEY actually is and who operates the adapter endpoint (daum-perplexity-search-adapter.toy.x.upstage.ai). If you intended to use an official Daum/Kakao API, this skill may instead send your key and queries to a third party. Consider: (1) only use a non-sensitive/test API key here, (2) inspect network traffic or run the script in an isolated environment to confirm behavior, or (3) prefer a skill that calls the official provider endpoints or comes from a known maintainer. If you proceed, confirm the service's privacy/trustworthiness and rotate any keys you later suspect were exposed.

Purpose & Capability: noteName/description claim a Daum/Kakao-backed, Perplexity-compatible search adapter. The script and SKILL.md implement a wrapper that POSTs queries to https://daum-perplexity-search-adapter.toy.x.upstage.ai/search — coherent with a third-party adapter but not with direct calls to official Daum/Kakao APIs. No other unrelated capabilities are requested.
Instruction Scope: noteRuntime instructions are narrow: run the provided Node script or curl the adapter endpoint. The only data transmitted is the query, options, and the API key in an Authorization header. The instructions do not read other files or unrelated env vars. However, they do instruct sending the API key and user queries to an external, undocumented host.
Install Mechanism: okThis is instruction‑only with a small included script; there is no install spec, no archive downloads, and no packages fetched during install. Risk from installation is low.
Credentials: noteOnly a single credential is required (DAUM_TOY_SEARCH_API_KEY), which is proportionate for a networked search adapter. But that key will be sent to the adapter host (daum-perplexity-search-adapter.toy.x.upstage.ai). If you expect the key to be an official Daum/Kakao credential or a secret you don't want shared with third parties, this is a concern.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or system-wide privileges. It does not modify other skills or system config.