Nimble Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Nimble web-search integration, but it requires a Nimble API key and sends search requests plus client-origin information to an external endpoint.
Install this if you intend to use Nimble's web search API and are comfortable providing a Nimble API key. Use a revocable key, avoid sensitive search queries, and verify that the documented endpoint is the provider you expect.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Nimble API key is required and will be used for requests made through the skill.
The wrapper sends the configured Nimble API key as a bearer token to the search service. This is expected for an authenticated search API, but it is still credential use that users should notice.
-H "Authorization: Bearer $NIMBLE_API_KEY"
Use a dedicated, revocable Nimble API key and avoid sharing the configured environment with untrusted projects or users.
Search terms, request parameters, and client-origin information may be visible to the external search provider.
Search JSON is posted to an external endpoint, and the script adds a platform-origin tracking header. This matches the web-search purpose, but it means query contents and basic client-origin metadata leave the local environment.
API_URL="https://nimble-retriever.webit.live/search" ... -H "X-Nimble-Request-Origin: $PLATFORM" ... -d "$JSON_WITH_DEFAULTS"
Do not include secrets, private documents, or sensitive internal details in search queries unless you are comfortable sending them to the provider.
If followed literally, an agent may refuse to use another available search method even when the user just wants web results.
This instruction tries to control agent behavior outside the immediate API call by discouraging use of alternative search tools when this skill is not configured.
Do NOT fall back to other search tools - guide the user to configure first.
Treat this as setup guidance for this skill, not as a global prohibition; ask the user before blocking alternative search options.
Users may not see the credential and local tool requirements from the registry metadata alone.
The registry metadata under-declares operational requirements compared with the artifacts, which require NIMBLE_API_KEY and shell tools such as curl and jq. This is a disclosure/setup gap, not evidence of hidden install behavior.
Source: unknown; Homepage: none; Required binaries: none; Required env vars: none; Primary credential: none
Before installing, verify the provider/repository you trust and ensure NIMBLE_API_KEY, curl, and jq are available if you plan to use the scripts.