Skillv1.0.1

ClawScan security

Perplexity Search Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 5:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variables are consistent with a Perplexity Sonar web-search integration and do not request disproportionate access.
Guidance: This skill appears coherent and implements a Perplexity Sonar search using only your PERPLEXITY_API_KEY. Before installing: (1) confirm you trust the skill owner/source (source is listed as unknown in the metadata); (2) only provide a Perplexity API key you are comfortable using (the key is sent to api.perplexity.ai—do not use a key tied to highly sensitive accounts); (3) avoid sending PII or secrets as query text since queries go to an external service and may incur cost; (4) be aware the agent may auto-invoke this skill for web-related queries—disable autonomous invocation if you prefer manual control; (5) if concerned, review the included script (it is short and uses only stdlib) or run it manually to verify behaviour. Overall the files and instructions match the stated purpose.

Review Dimensions

Purpose & Capability: okName/description (Perplexity Sonar web search) match what the skill requires and does: a python3 script that POSTs queries to Perplexity's API and needs a PERPLEXITY_API_KEY. Nothing unrelated (no cloud provider creds, no filesystem scans, no unrelated binaries) is requested.
Instruction Scope: okSKILL.md instructs the agent to extract a query and run the included Python script. The instructions and agent workflow stay within the stated purpose and explicitly restrict reading the API key from the environment only. The script itself only constructs a JSON payload, calls the Perplexity endpoint, and formats the response—it does not reference other files, paths, or unexpected endpoints.
Install Mechanism: okThere is no install spec; this is instruction + bundled python script. The script uses only the Python standard library (urllib), so there are no downloads or package installs that would write arbitrary code to disk at install time.
Credentials: okOnly one environment variable is required (PERPLEXITY_API_KEY) and it is the primary credential needed to call the Perplexity API. Declared env vars align with the skill's functionality and the code only reads that single variable.
Persistence & Privilege: okThe skill is not marked always:true, does not request persistent system privileges, and does not modify other skills' configurations. It can be invoked autonomously by the agent (default) but that is expected for an auto-invoked search skill.