Back to skill
Skillv0.1.1
ClawScan security
gemini-smart-search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 5:46 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested credential align with a Gemini-backed search helper; nothing in the artifact indicates hidden exfiltration or unrelated privileges.
- Guidance
- This skill appears coherent and implements what it claims: a local Python-based Gemini search worker that needs a Gemini API key. Before installing: - Confirm you provide SMART_SEARCH_GEMINI_API_KEY (or GEMINI_API_KEY) to the environment; the code prefers SMART_SEARCH_GEMINI_API_KEY. The registry metadata omits required env vars, so ensure the platform supplies the secret to the skill. - Understand the skill will make network calls to Google’s Generative Language API (generativelanguage.googleapis.com) and will send your queries and the API key via the x-goog-api-key header — make sure you’re comfortable with that outbound access and quota/billing implications. - Keep your key in a gitignored .env.local (the repo and scripts already recommend this); verify your CI/agent runtime does not accidentally commit keys. - If you rely on autonomous agent invocation, be aware the agent can call this skill and thereby use your Google key; limit the key's permissions/quota as appropriate and monitor usage. - Minor metadata nit: the registry lists no required env vars while the skill declares SMART_SEARCH_GEMINI_API_KEY as primary; verify the platform/agent will surface that secret when the skill runs. Overall, nothing in the code or docs suggests hidden endpoints, unrelated credential requests, or excessive privileges.
Review Dimensions
- Purpose & Capability
- okThe name/description (Gemini smart search) matches the code and docs: a Python script that calls the Gemini Developer API, provides mode-based routing and fallback, and returns structured JSON. Required binary (python3) and the declared primary credential (SMART_SEARCH_GEMINI_API_KEY) are appropriate for this functionality.
- Instruction Scope
- okSKILL.md instructs running the local Python script (or a thin shell wrapper) and documents .env.local behavior and API key precedence. Runtime actions (reading repo-local .env.local, resolving API key, POST to generativelanguage.googleapis.com, returning JSON) are within the stated purpose. The README/SKILL.md explicitly warns about not tracking keys and about wrapper vs Python entrypoint differences.
- Install Mechanism
- okThis is instruction-plus-scripts with no install spec — lowest-risk install model. There are no external download URLs or archive extraction steps. All network use is the expected Gemini API (generativelanguage.googleapis.com) and a static GitHub issue URL for escalation.
- Credentials
- noteThe skill requires a Gemini API key (primaryEnv = SMART_SEARCH_GEMINI_API_KEY) and falls back to GEMINI_API_KEY; that is proportionate. Minor metadata inconsistency: registry 'Required env vars' field lists none while the skill declares SMART_SEARCH_GEMINI_API_KEY as its primary credential — the declared primary credential is correct for the skill, but the registry metadata could more clearly mark the env var as required.
- Persistence & Privilege
- okalways:false (no forced persistent inclusion). The skill only reads a repo-local .env.local and does not modify system-wide configs or other skills. Autonomous invocation is allowed by default (normal for skills) but not elevated here.