Skillv1.0.1

ClawScan security

Hybrid Deep Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 8:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and description claim live integration with Brave Search and OpenAI Codex, but the packaged code largely simulates calls and there are mismatches between declared requirements and what the code actually reads—this incoherence could be harmless sloppy engineering but deserves review before use, especially if you supply API keys.
Guidance: This package is internally inconsistent rather than clearly malicious, but treat it cautiously. Before installing or supplying API keys: 1) Inspect scripts/deep_search.py and scripts/router.py (they currently simulate results and do not make network calls). 2) If you plan to enable codex mode, verify where and how OPENAI_API_KEY will be used (confirm calls go to the official OpenAI API endpoint and that you accept billing exposure). 3) Be aware SKILL.md asks you to pip install openai/python-dotenv/requests even though the bundled code doesn't use them — avoid installing unnecessary packages you don't trust. 4) Run the scripts in a sandbox environment first and search the code for any hard-coded or hidden network endpoints before providing secrets. 5) If you require the promised Brave/OpenAI integrations, ask the maintainer for a clear implementation plan or an update that actually performs authenticated API calls and updates the skill manifest to declare required env vars and dependencies. If you cannot verify these points, do not supply sensitive credentials (OPENAI_API_KEY) to this skill.

Review Dimensions

Purpose & Capability: concernThe skill advertises intelligent routing between a Brave API (via the platform's built-in web_search) and OpenAI Codex. The code implements routing logic and formats results, but does not actually call Brave or OpenAI APIs — it returns simulated results and only checks for OPENAI_API_KEY existence rather than performing real API calls. The SKILL metadata declares no required env vars, yet the runtime relies on OPENAI_API_KEY/OPENAI_BASE_URL if the codex mode is used. These inconsistencies mean the package is not fully implementing its claimed capabilities and the declared manifest doesn't match runtime needs.
Instruction Scope: concernSKILL.md instructs users to install openai, python-dotenv, and requests and to set OPENAI_API_KEY/OPENAI_BASE_URL, and it references using the platform's web_search tool. The code, however, simulates both Brave and OpenAI responses and does not perform network calls or read .env/config files. The instructions therefore over-promise (and instruct the user to provide credentials) while the code doesn't actually use them for API calls — a gap that grants the skill broad discretion in future changes and confuses what will happen at runtime.
Install Mechanism: noteThere is no install spec (instruction-only at registry level) but SKILL.md asks the user to pip install openai, python-dotenv, and requests. Because installation is performed manually by the user, immediate supply-chain risk is low — but the requested packages are not evidenced in the code, which suggests the dependency list is disproportionate to the packaged implementation and could mislead users into installing unnecessary packages.
Credentials: noteThe registry lists no required environment variables, yet the code looks for OPENAI_API_KEY and OPENAI_BASE_URL to enable codex mode. Requesting an OpenAI API key is proportionate to the stated purpose (calling Codex), but the skill's metadata failing to declare these required variables is an incoherence. Users should treat any provided OPENAI_API_KEY as sensitive (billing risk) and only provide it after verifying the code will only call the official OpenAI endpoint.
Persistence & Privilege: okThe skill does not request always:true, does not modify system-wide config, and has no install-time persistence mechanism in the registry. It's user-invocable and can be run interactively; there are no elevated privileges requested in the manifest.