Metaso Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned Metaso search skill, but users should verify the missing PowerShell runner and protect the required API key.
Before installing, confirm that the missing metaso.ps1 runner is included from a trusted source and review it before giving it your Metaso API key. Treat the API key like a password, avoid placing it in broadly readable files, and rotate it if it is exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the configured API key could use the user's Metaso API quota or account access tied to that key.
The skill requires a Metaso API key and suggests storing it in an environment variable or local secrets file. This is expected for the stated API-search purpose, but it is still account credential material that users should handle carefully.
$env:METASO_API_KEY = "your_api_key_here" ... 在 `secrets/key存储文档.txt` 中添加: 秘塔AI api:your_api_key_here
Use a scoped or regenerable API key if available, prefer a protected secret store or environment variable, restrict file permissions, and rotate the key if it may have been exposed.
The skill may not run as packaged, or a user may be tempted to obtain or execute a separate metaso.ps1 file that was not included in this review.
The package declares and documents a PowerShell runner, but the provided file manifest contains only README.md, skill.json, and SKILL.md. That creates an incomplete-package/provenance gap for the code that would actually handle the API request and API key.
"entry": "metaso.ps1", "commands": { "search": "metaso.ps1", "default": "metaso.ps1" }Install only a package that includes the reviewed runner file from a trusted source, and verify that any metaso.ps1 used only sends the intended query to the documented Metaso endpoint.