Skillv1.2.0

ClawScan security

Union Search Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 22, 2026, 9:36 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be an instruction-only, no-credentials multi-platform search helper but actually bundles many scripts that expect numerous sensitive API keys and large third‑party JS artifacts — the declared metadata and runtime instructions are inconsistent and warrant manual review before use.
Guidance: What to consider before installing or running this skill: - Metadata and reality mismatch: the registry claims no env requirements and 'instruction-only', but the package contains many scripts and the ENV_TEMPLATE lists many sensitive API keys and cookies. Treat the skill as one that will try to access .env and call many external services. - Do not run it in a production environment or with real credentials present. If you want to try it, run inside an isolated sandbox/container or VM and use throwaway API keys or minimal-permission keys. - Inspect high-risk files first: ENV_TEMPLATE, SKILL.md, scripts/reddit/agents.py (very large), any '*.js' in dist/ (minified/compiled JS), and downloader modules (yt-dlp usage). Look for code that transmits data to unknown endpoints beyond the documented search APIs. - Remove or sanitize .env before running, or create a .env with only the specific keys you intend to test. Never paste full raw JSON API responses into external chat sessions as SKILL.md recommends avoiding, but still be careful — saved responses may contain tokens/cookies. - The SKILL.md contains detected obfuscation patterns (base64, unicode control chars). Manually open SKILL.md and the bundled JS files in a safe environment and search for any encoded or hidden strings and for hardcoded endpoints. - Prefer obtaining the project from the upstream GitHub repo referenced in README and verify commit history and authorship; check if the registry copy is complete or truncated (README warns about size limits). If you must use the registry copy, expect missing files and audit what is present. - If you lack the ability to review code, avoid installing this skill or only use it through a trusted intermediary service that can sandbox and review network traffic. Consider limiting network egress or using a proxy that logs and inspects outbound calls. If you want, I can: (1) summarize which exact files reference which environment variables, (2) search the bundle for suspicious network endpoints or hardcoded credentials, or (3) extract and highlight the largest/minified files that need manual review.
Findings: [pre-scan-prompt-injection-base64-block] unexpected: The SKILL.md triggered a 'base64-block' pattern. There is no legitimate need for base64 injections in plain runtime instructions; this could be an attempt to smuggle content or evade scanners. Recommend manually inspect SKILL.md for any embedded encoded blocks. [pre-scan-prompt-injection-unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are sometimes used to obfuscate content to evade simple scanners or to split lines invisibly. They are not needed for normal README/instruction text and warrant careful review.

Review Dimensions

Purpose & Capability: concernThe skill name/description (multi‑platform search) matches the included code, but the registry metadata claimed 'Required env vars: none' while the project clearly expects many credentials (ENV_TEMPLATE lists GITHUB_TOKEN, GOOGLE_API_KEY, YOUTUBE_API_KEY, TIKHUB_TOKEN, SERPAPI keys, VOLCENGINE_API_KEY, etc.). That mismatch is incoherent: a search tool that needs many third‑party API keys should declare them. Also SKILL.md says 'instruction-only' in registry but the bundle contains 150+ Python files and bundled Node 'dist' artifacts — the install/runtime footprint is far larger than metadata indicates.
Instruction Scope: noteSKILL.md instructs the agent to create and read a .env, run many scripts, save raw responses, download bulk images/videos, and use cookies/proxies for downloads. Those instructions are within the stated search/archival purpose, but they grant broad discretion to access and persist potentially sensitive tokens, cookies, and large amounts of fetched content. The SKILL.md also includes guidance to save raw API responses and to use grep/jq on them — which could lead to storing sensitive data locally (cookies, auth responses).
Install Mechanism: noteThere is no install spec (so the skill is 'instruction-only' in registry), yet the package includes large third‑party Node distribution files (defuddle-node/dist/*), many Python modules, and README warns about a >50MB size and recommends downloading from an external GitHub repo. The presence of compiled/minified JS artifacts increases review burden because they are large and harder to audit; lack of an explicit, trusted install source is a moderate concern.
Credentials: concernMetadata said no required env vars, but ENV_TEMPLATE and code reference many sensitive environment variables (API keys, cookies, multiple SERPAPI keys, YTDLP_COOKIES_FILE, WEIBO_COOKIE, ZHIHU_COOKIE, etc.). Requesting many unrelated credentials (multiple search providers + cookies) without declaring them is disproportionate and risky: if the agent is allowed to read environment variables or a .env file, it will have access to a broad set of secrets not reflected in metadata.
Persistence & Privilege: concernalways:false (good), but the skill is allowed to be invoked autonomously (default). Combined with the other concerns (undisclosed credentials, code bundle that saves raw responses and downloads media), autonomous invocation increases blast radius: the skill could read a .env, call many external services, and persist responses/downloads. The bundle also includes large scripts like reddit/agents.py which deserve manual inspection for autonomous behavior.