ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Web Search

v1.0.0

Perform global web searches using Google Custom Search API with customizable result counts and high-quality results.

0· 169·0 current·0 all-time
byClawMem.com@leohuang8688
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md and code all consistently implement Google Custom Search usage (requests to Google's Custom Search API using an API key and CX). The capabilities requested by the code (GOOGLE_API_KEY, GOOGLE_CX) are appropriate for the stated purpose. However, the registry metadata incorrectly lists no required environment variables/credentials, which is a meaningful inconsistency.
Instruction Scope
SKILL.md instructs the agent to read environment variables or a .env file and to call Google's Custom Search API. The runtime instructions and the code only reference the search API, .env loading, and printing/returning search results. There is no instruction to read unrelated system files or to transmit data to unexpected endpoints. Minor issue: SKILL.md mentions copying a .env.example, but no .env.example file is present in the package.
Install Mechanism
No install script is provided (instruction-only install), so nothing will be downloaded or executed automatically beyond normal pip installing of declared dependencies. requirements.txt lists only 'requests' and 'python-dotenv', which are proportional to the task.
!
Credentials
The code and SKILL.md require two credentials (GOOGLE_API_KEY and GOOGLE_CX), which are reasonable and minimal for Google Custom Search. The concern is the registry metadata advertises zero required env vars/credentials; that mismatch could lead agents or platform automation to not prompt the user for the required secrets or mis-handle permissions. The code also loads a .env from the skill directory — storing keys in plaintext in a workspace is normal but has privacy implications that the user should consider.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent settings. It only performs network calls to the Google API via requests; autonomous invocation is allowed (default) but not an additional red flag here.
What to consider before installing
This skill appears to actually be a straightforward Google Custom Search client, but the registry metadata omits the fact that it requires GOOGLE_API_KEY and GOOGLE_CX — a manifest/documentation mismatch. Before installing: (1) confirm you are comfortable providing a Google API key and CX, (2) prefer storing keys in a secure secrets store rather than plaintext .env files in the workspace, (3) review the included src/google_search.py (it only calls Google APIs and formats results), and (4) ask the publisher or registry to correct the metadata so required credentials are declared. If you cannot verify the source or the metadata, run this skill in a sandboxed environment to limit exposure of your other workspace files.

Like a lobster shell, security has layers — review code before you run it.

latestvk971929katnk958gn4nxks2c0s833xh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments