smartsearch
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward web-search helper, but it sends search queries and an API key to an external Cloudsway API and returns untrusted web content.
Before installing, make sure you trust the Cloudsway search provider, have curl and jq available, and are comfortable setting CLOUDSWAYS_AK. Avoid searching for secrets or private data, and verify important answers against cited sources.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search queries may be visible to the Cloudsway API provider.
The script sends user-provided search parameters to an external API using curl. This is expected for a web-search skill and uses URL encoding, but it means search terms are transmitted outside the local agent.
CURL_ARGS=("--data-urlencode" "q=$QUERY") ... --url "https://aisearchapi.cloudsway.net/api/search/smart"Use it for queries you are comfortable sending to the provider, and avoid putting secrets or highly sensitive data in search terms.
The skill uses your Cloudsway API credential to perform searches under that account or key.
The skill requires a provider API key and sends it in the Authorization header to the declared search endpoint. This is purpose-aligned and disclosed, with no evidence of logging or unrelated transmission.
if [ -z "$CLOUDSWAYS_AK" ]; then ... echo "Please set CLOUDSWAYS_AK environment variable." ... --header "Authorization: ${CLOUDSWAYS_AK}"Use a scoped/revocable API key if available, and do not share the key in prompts or command output.
The skill may not run until curl, jq, and CLOUDSWAYS_AK are available, even though the registry metadata does not warn about them.
Registry-level requirements do not list the API key and helper binaries that the SKILL.md and script require. This appears to be an under-declared setup/preflight issue rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Confirm the required tools and API key setup before use; maintainers should align registry metadata with the skill’s documented requirements.
The agent may read and summarize untrusted web content that could be wrong, stale, or manipulative.
The skill can return full webpage text into the agent context. Webpage content is untrusted and may contain inaccurate information or prompt-like text, although this is normal for a search/research skill.
enableContent | No | Boolean | false | Extract full text
Ask the agent to cite sources, compare multiple results, and ignore instructions found inside retrieved webpages.