ClawHub

Nimble Web Search

v0.1.0

Real-time web intelligence powered by Nimble Search API. Perform intelligent web searches with 8 specialized focus modes (general, coding, news, academic, shopping, social, geo, location). This skill provides real-time search results when you need to search the web, find current information, discover URLs, research topics, or gather up-to-date data. Use when: searching for information, finding recent news, looking up academic papers, searching for coding examples, finding shopping results, discovering social media posts, researching topics, or getting latest real-time data.

3· 1.8k·0 current·0 all-time
by@ilchemla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (real-time web search via a Nimble Search API) aligns with the shipped scripts and examples which POST JSON to an external search endpoint. However the SKILL.md points users to nimbleway.com for keys while the scripts call https://nimble-retriever.webit.live/search — a different host. Also the registry metadata does not declare the required NIMBLE_API_KEY environment variable (metadata: none; SKILL.md & scripts: require it). These mismatches are unexplained and warrant verification.
Instruction Scope
The SKILL.md instructions and examples are focused on making authenticated POST requests to the external search endpoint and include platform-specific guidance for where to place the API key. The scripts only perform expected tasks: validate env var, run queries, and format output. They do inspect common platform env vars (CLAUDE_CODE_VERSION, GITHUB_COPILOT, VSCODE_PID) to tag requests, but they do not attempt to read arbitrary files or other secrets.
Install Mechanism
No install spec; the skill is instruction-first and ships two small shell scripts. Nothing is downloaded or extracted at install time. This is low-risk from an installation perspective.
!
Credentials
At runtime the skill requires an API key (NIMBLE_API_KEY) for the external service and explicitly instructs users how to store it in agent/platform settings, but the declared metadata lists no required env vars or primary credential. That mismatch is confusing and potentially dangerous: users may not realize they must supply a secret, or may place it in a shared config file. The scripts also add tracking headers (X-Client-Source, X-Nimble-Request-Origin) when calling the external endpoint.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system settings. It does not attempt to persist credentials itself; it only reads NIMBLE_API_KEY from environment, which is normal for API wrappers.
What to consider before installing
What to check before installing/use: - Verify the API provider and endpoint: SKILL.md links to nimbleway.com for keys but the scripts call nimble-retriever.webit.live. Confirm that webit.live is a legitimate Nimbleway endpoint (ask the vendor or check their official docs/repo). Do not assume different domains are safe. - Expect to provide an API key: although the registry metadata omits required env vars, the skill will fail without NIMBLE_API_KEY. Decide where to store the key (environment variable vs. agent settings) and avoid placing production/long-lived keys in broadly readable config files. - Inspect network calls: the scripts send the key in Authorization headers to a third-party server and include tracking headers. If you’re concerned about telemetry or exfiltration, run the scripts in an isolated environment or capture network traffic to confirm behavior. - Least privilege and rotation: provision an API key with minimal privileges and rate limits where possible. If the key is ever exposed, rotate it immediately. - Confirm provenance: the skill's source is 'unknown' and homepage is missing. Prefer skills with a verifiable repository and published owner. If you proceed, try the validate-query.sh script with a throwaway key or in a sandbox first. - If anything looks suspicious (unexpected host, undocumented telemetry, or unclear ownership), do not supply your production API key and prefer alternatives with clear provenance. If you want, I can: (1) summarize the exact places to change if you want to re-point the endpoint to a different host, (2) produce a command to run the validation script in a sandboxed environment, or (3) craft minimal instructions for safely testing with a throwaway key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adbgxcbc8e6jgp165wtbd1d80a51m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments