Skillv1.0.1

ClawScan security

Querit Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 5:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested environment variable (QUERIT_API_KEY) align with its stated purpose of calling the Querit web-search API; nothing in the package indicates covert or unrelated access.
Guidance: This skill appears to do what it says: run a Python script that sends your query to Querit's API using QUERIT_API_KEY. Before installing, consider: (1) QUERIT_API_KEY will be sent to an external service—only provide keys you trust and consider scoping/rotating the key; (2) the runtime must have Python and the 'requests' package installed or the script will fail; (3) any query text (including potentially sensitive information) will be transmitted to api.querit.ai, so avoid sending secrets; (4) review Querit's privacy and data-retention policies if you will send private data; (5) because the skill can be invoked by the agent, ensure you are comfortable with outbound network calls being made automatically. If you want extra safety, restrict the API key's permissions and monitor usage in the Querit dashboard.

Purpose & Capability: okName/description, required binary (python3), and required env var (QUERIT_API_KEY) match the included script's behavior (it issues HTTPS POSTs to Querit's API). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md instructs the agent to run the included Python script with a JSON string or plain query. The script only reads argv and the QUERIT_API_KEY env var and issues an HTTPS request to the hardcoded Querit endpoint; it does not read other files, system config, or extraneous environment variables.
Install Mechanism: noteNo install spec (instruction-only) which lowers risk. One caveat: the script imports 'requests' but the skill does not declare an installation step to ensure the 'requests' package is present; this is an operational issue (not a security incoherence) and may cause runtime failures if the runtime lacks that package.
Credentials: okOnly QUERIT_API_KEY is required and is the primary credential; this is proportional to a service that authenticates to an external search API. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okSkill does not request always:true, does not modify other skills or system settings, and does not persist data locally. It simply performs network requests at runtime.