Skillv1.0.0

ClawScan security

Serper Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 3:28 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (using a Serper.dev API key to run Google-like searches), but there are minor metadata and dependency gaps you should confirm before installing.
Guidance: This skill appears to do what it says: programmatic Google-style search via Serper.dev using SERPER_API_KEY. Before installing: 1) Confirm the source/owner and prefer skills with a homepage or repository (this skill lists 'source: unknown'). 2) Provide only the SERPER_API_KEY credential and verify its scope/usage limits in your Serper account. 3) Ensure your runtime environment has the Python dependencies used in examples (requests, tldextract) or add explicit install steps. 4) Be aware the Places endpoint can return phone numbers and other contact info — confirm this is allowed for your use case and complies with privacy laws and your organization's policies. 5) Fix the metadata mismatch (registry says no env vars while SKILL.md requires SERPER_API_KEY) before enabling automated credential provisioning. If you need stronger assurance, ask the publisher for a link to a homepage or source repo and for explicit dependency/install instructions.

Review Dimensions

Purpose & Capability: okName/description (programmatic Google search via Serper.dev) align with the instructions and example code, which call serper.dev endpoints and return organic results. Requesting an API key (SERPER_API_KEY) is expected for this purpose.
Instruction Scope: noteSKILL.md only instructs HTTP calls to Serper.dev endpoints and uses the SERPER_API_KEY environment variable. It includes lead-generation examples and uses the Places endpoint (which returns phone numbers/websites) — collecting such contact data is within the declared purpose but is PII-relevant and you should ensure your use complies with laws/policies.
Install Mechanism: noteInstruction-only skill (no install spec), so nothing is written to disk by the skill itself. However the examples import 'requests' and 'tldextract' but the skill does not declare or provide installation instructions for these dependencies — you'll need to ensure the runtime environment has them.
Credentials: noteThe SKILL.md requires a single credential (SERPER_API_KEY), which is proportional. However the registry metadata at the top of the evaluation lists 'Required env vars: none' while SKILL.md includes the env requirement and primaryEnv. This mismatch should be resolved before trusting automated installs/credential provisioning.
Persistence & Privilege: okThe skill does not request always:true and has no install hooks or config paths. It does not ask for system-wide permissions or other skills' credentials.