ClawHub

exa search

v1.0.0

Advanced web search with precise date filtering and content type selection. Use when you need academic papers, GitHub repositories, research content, or spec...

0· 68·0 current·0 all-time
byclaw0x@kennyzir
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (advanced web search) match the code and SKILL.md which call the Claw0x Gateway API. The single required credential (CLAW0X_API_KEY) and the documented endpoint (https://api.claw0x.com/v1/call) are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to set CLAW0X_API_KEY and shows example calls. The runtime instructions and handler.ts only reference that env var and a network call to Claw0x; they do not instruct reading unrelated files, scanning local data, or sending data to unexpected endpoints.
Install Mechanism
No install spec is provided (instruction-only), and the single TypeScript handler is a small client wrapper. No downloads, package installs, or archive extraction are present. The only runtime effect is an outbound API call to api.claw0x.com, which is expected for this skill.
Credentials
Only CLAW0X_API_KEY is required, which is proportional to a gateway API client. The README suggests storing it in ~/.openclaw/.env but the code reads process.env.CLAW0X_API_KEY; no other secrets or unrelated credentials are requested.
Persistence & Privilege
always:false and default agent invocation are used. The skill does not request permanent/system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other concerning factors.
Assessment
This skill appears to be a thin client that forwards your query to Claw0x's API using the CLAW0X_API_KEY. Before installing: confirm you trust claw0x.com (the API endpoint and billing model will be tied to that provider), keep your CLAW0X_API_KEY secret and scoped/rotated if possible, and monitor usage/billing since calls are billable. If you want extra assurance, review the public repository referenced in SKILL.md to validate authorship and examine any upstream code. Finally, remember queries and returned content will transit the Claw0x service—do not send highly sensitive secrets in search queries.
handler.ts:12
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afrw8fvgfzeckymkp25vphh83ngsq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments