ClawHub

Skillsmp Search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward SkillsMP search wrapper, but users should notice that it needs a SkillsMP API key and local command-line tools that the registry metadata does not declare.

This skill looks benign for searching SkillsMP. Before installing, be aware that it requires a SkillsMP API key and sends your search query to skillsmp.com, and that its local dependencies should be present even though the registry does not declare them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

If installed and configured, searches will use the user's SkillsMP API key to authenticate to skillsmp.com.

Why it was flagged

The script reads a SkillsMP API key from the environment and sends it as a bearer token to the SkillsMP API. This is expected for the service integration, but users should notice the credential use because the registry declares no required environment variables or primary credential.

Skill content
API_KEY="${SKILLSMP_API_KEY:-}" ... -H "Authorization: Bearer ${API_KEY}"
Recommendation

Use a SkillsMP API key with the minimum privileges available, and remove or rotate it if you no longer use the skill.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may fail or behave differently on systems without those tools, and the dependency requirements are not visible from the registry declarations.

Why it was flagged

The script relies on local curl and python3 commands, while the registry metadata lists no required binaries and no install spec. This is a packaging/dependency disclosure gap, not evidence of malicious behavior.

Skill content
RESPONSE=$(curl -s -X GET "https://skillsmp.com/api/v1/skills/search?q=${QUERY}&limit=${LIMIT}" ...)

echo "$RESPONSE" | python3 -c
Recommendation

Confirm curl and python3 are present before use; publishers should declare these runtime dependencies in metadata.