Back to skill
Skillv1.0.6
ClawScan security
smartsearch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 12, 2026, 8:24 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a web-search client for the Cloudsway API and requires a Cloudsway API key, but the registry metadata omits those required credentials and binary dependencies — the pieces are inconsistent and warrant caution.
- Guidance
- This skill's code and SKILL.md call a Cloudsway search API and require an API key (CLOUDSWAYS_AK) plus curl and jq. However the registry metadata omitted those requirements (and the top-level homepage/source are missing), which is an inconsistency you should resolve before installing. Before proceeding: 1) Verify the publisher and origin (ask for a source repo or official Cloudsway documentation confirming aisearchapi.cloudsway.net). 2) Confirm you are comfortable providing CLOUDSWAYS_AK to this skill and consider creating a scoped or limited API key for testing. 3) Ensure your environment has curl and jq, and test the script on a non-sensitive account. 4) If you need higher assurance, ask the publisher to correct registry metadata (declare CLOUDSWAYS_AK and required binaries) or provide signed releases/source code. These steps will reduce risk from the observed metadata/code mismatch.
Review Dimensions
- Purpose & Capability
- concernThe name/description match the code and SKILL.md (it calls a Cloudsway search API). However the registry metadata at the top claims no required env vars or homepage while SKILL.md and scripts clearly require CLOUDSWAYS_AK and use curl/jq. That mismatch between declared registry requirements and actual runtime needs is incoherent and could be an omission or packaging error.
- Instruction Scope
- concernSKILL.md and scripts instruct the agent to read CLOUDSWAYS_AK and perform HTTP calls to https://aisearchapi.cloudsway.net, returning webpage snippets/content. That behavior is within the stated purpose (web search) but the instructions reference an environment variable and binaries (curl, jq) that the registry metadata did not declare. The skill does not attempt to read unrelated system files or other creds.
- Install Mechanism
- okThere is no install spec and only a small shell script is included. No remote downloads or archive extraction occur, so installation risk is low.
- Credentials
- concernThe runtime requires a single API key (CLOUDSWAYS_AK), which is proportionate to calling a third-party search API. The concern is that the registry metadata did not list this required env var (top-level metadata claims none), creating a mismatch between what the skill actually needs and what was declared.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and has no config path requirements. It only needs transient access to an API key to call the remote endpoint.