Back to skill
Skillv1.0.0
ClawScan security
Skillsmp Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 1:41 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a straightforward SkillsMP search, but the package metadata omits the required API key that both SKILL.md and the included script require — an inconsistency worth resolving before trusting the skill.
- Guidance
- This skill's code and README expect a SkillsMP API key (SKILLSMP_API_KEY) even though the package metadata omits that requirement. Before installing or using it: 1) verify you're comfortable providing your SkillsMP API key and keep it secret (do not paste into public places); 2) confirm the domain is correct (https://skillsmp.com) and that network calls go only to that host; 3) ask the publisher to update the registry metadata to declare SKILLSMP_API_KEY as a required credential so tooling can surface it; 4) review search.sh yourself (it's short and readable) or run it in an isolated environment; and 5) if you need higher assurance, request the author to sign or publish the source from a traceable repository. The mismatch in metadata is the main issue here — the behavior otherwise looks consistent with the stated purpose.
Review Dimensions
- Purpose & Capability
- noteName/description match the behavior in SKILL.md and search.sh (search SkillsMP via its API). However the registry metadata lists no required environment variables while SKILL.md and search.sh clearly require SKILLSMP_API_KEY (and optionally SKILLSMP_LIMIT), creating an inconsistency between declared metadata and actual capability needs.
- Instruction Scope
- okRuntime instructions and the script call only SkillsMP endpoints (https://skillsmp.com/api/v1/...) and format the result locally. The script does not reference other system files, credentials, or external endpoints outside skillsmp.com, and it prints results to stdout.
- Install Mechanism
- okNo install spec and no external downloads; the skill is instruction-only with an included shell script. No archive extraction or remote installers are used.
- Credentials
- concernThe script and SKILL.md require an API key (SKILLSMP_API_KEY) and optionally SKILLSMP_LIMIT, which are proportionate to the task. But the registry metadata fails to declare any required environment variables or a primary credential, which is a material metadata mismatch and could lead to surprise when installing or running the skill.
- Persistence & Privilege
- okThe skill does not request persistent/system privileges, always:false, and does not modify system or other skills' configurations. It only runs as-invoked.