Skillv1.0.0

ClawScan security

Web Search Plus 2.8.6 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 12:38 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are consistent with a multi-provider web-search aggregator; no large incoherences or hidden endpoints were found, but provenance and a few operational details deserve attention before installation.
Guidance: This package appears to be what it claims: a Python-based multi-provider web search aggregator with auto-routing. Before installing or running it: 1) Verify the source provenance (no homepage listed and 'source: unknown' in the registry); prefer code from a known/trusted origin. 2) Review and, if needed, sanitize the .env file placed in the skill directory — the script auto-loads .env and will import those values into the process. 3) Remember that query text is cached to .cache/ by default (may include sensitive queries); set WSP_CACHE_DIR or use --no-cache if that concerns you. 4) If you plan to use Perplexity via Kilo, KILOCODE_API_KEY is required and traffic goes to api.kilo.ai; confirm you are comfortable sending queries to that gateway. 5) Inspect and run setup.py manually (not as root) to review any network tests it performs (changelog notes SSRF protections were added recently). If you need higher assurance, obtain the repo from the upstream GitHub link referenced in the docs or ask the publisher for a signed release/build before enabling the skill in production.
Findings: [pre-scan-injection-signals-none] expected: The static pre-scan reported no injection signals. The skill contains network calls to documented provider endpoints (e.g., api.kilo.ai for Perplexity via Kilo) which are expected for a search aggregator.

Review Dimensions

Purpose & Capability: okThe name/description (multi-provider web search with auto-routing) matches what the package includes: a Python CLI, provider connectors, routing logic, and local result caching. Required binaries (python3, bash) are appropriate. Provider API keys are optional in the docs (one key suffices), which aligns with being an aggregator that can operate with a single configured provider or a self-hosted SearXNG instance.
Instruction Scope: noteRuntime instructions direct the agent to run scripts/setup.py and scripts/search.py and to place API keys in environment variables or config.json — all within the search skill's scope. Two operational notes: (1) the code auto-loads a .env file from the skill directory (it will set environment variables found there if not already set), and (2) results are cached to a local .cache/ directory by default, so queries (which may contain sensitive data) are written to disk. The changelog mentions SSRF protection for SearXNG setup checks; the setup wizard is present in the repo and should be reviewed before running.
Install Mechanism: okNo automated install spec is included (instruction-only behavior plus source files). That is lower-risk than pulling remote binaries. The skill ships Python scripts which will run locally; there are no fetched/executed archives or remote install URLs in the provided files.
Credentials: noteThe skill requests multiple provider API keys (SERPER_API_KEY, TAVILY_API_KEY, EXA_API_KEY, YOU_API_KEY, KILOCODE_API_KEY) but marks them optional and documents that only one provider key is required. This is proportionate for an aggregator. Two practical caveats: (1) the script will auto-load .env from the skill folder (so placing other secrets there could leak them into the skill process), and (2) the cache persists queries locally (WSP_CACHE_DIR can be set to relocate it) — both are operational security considerations rather than signs of malicious behavior.
Persistence & Privilege: okThe skill is not set 'always: true' and does not request system-wide privileges. It writes cache files into its own .cache/ directory and reads/writes its own config; it does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default on the platform, which is normal.