Back to skill
Skillv1.0.3
ClawScan security
InfoQuest Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 23, 2026, 8:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested API key align with its stated purpose (web/image search and content extraction via BytePlus InfoQuest); nothing requests unrelated credentials or system access.
- Guidance
- This skill appears to be what it claims: a Node CLI wrapper around BytePlus InfoQuest. Before installing, confirm the API key you provide is from the official BytePlus console and has only the permissions you expect. Run the scripts in a controlled environment if you want to inspect traffic (they POST to search.infoquest.bytepluses.com and reader.infoquest.bytepluses.com). If you use an account-level key, consider creating a limited key for this purpose and monitor usage/rate limits. No unrelated credentials are requested.
Review Dimensions
- Purpose & Capability
- okName/description request a single service (InfoQuest) and the skill only requires node and an INFOQUEST_API_KEY. The requested binary and env var are appropriate and proportional to a web/search/extract integration.
- Instruction Scope
- okSKILL.md instructs running the included Node CLI scripts and setting INFOQUEST_API_KEY. The runtime instructions and code only read command-line args, the declared env var, and call the InfoQuest endpoints; they do not access unrelated files, secrets, or system configuration.
- Install Mechanism
- okThere is no install spec and included files are simple Node scripts. No downloads from untrusted URLs, no archive extraction, and only an optional node-fetch dynamic import for older Node versions.
- Credentials
- okOnly INFOQUEST_API_KEY is required and is used as an Authorization header for the service's endpoints. No other credentials or broad-scoped environment variables are requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide settings. It does not request persistent agent presence or elevated privileges.