ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

smartsearch

v1.0.6

Performs real-time web searches to retrieve up-to-date online information, news, research data, and fact-checking results.

0· 0·0 current·0 all-time
bynodunjj@prismheart
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the code and SKILL.md (it calls a Cloudsway search API). However the registry metadata at the top claims no required env vars or homepage while SKILL.md and scripts clearly require CLOUDSWAYS_AK and use curl/jq. That mismatch between declared registry requirements and actual runtime needs is incoherent and could be an omission or packaging error.
!
Instruction Scope
SKILL.md and scripts instruct the agent to read CLOUDSWAYS_AK and perform HTTP calls to https://aisearchapi.cloudsway.net, returning webpage snippets/content. That behavior is within the stated purpose (web search) but the instructions reference an environment variable and binaries (curl, jq) that the registry metadata did not declare. The skill does not attempt to read unrelated system files or other creds.
Install Mechanism
There is no install spec and only a small shell script is included. No remote downloads or archive extraction occur, so installation risk is low.
!
Credentials
The runtime requires a single API key (CLOUDSWAYS_AK), which is proportionate to calling a third-party search API. The concern is that the registry metadata did not list this required env var (top-level metadata claims none), creating a mismatch between what the skill actually needs and what was declared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and has no config path requirements. It only needs transient access to an API key to call the remote endpoint.
What to consider before installing
This skill's code and SKILL.md call a Cloudsway search API and require an API key (CLOUDSWAYS_AK) plus curl and jq. However the registry metadata omitted those requirements (and the top-level homepage/source are missing), which is an inconsistency you should resolve before installing. Before proceeding: 1) Verify the publisher and origin (ask for a source repo or official Cloudsway documentation confirming aisearchapi.cloudsway.net). 2) Confirm you are comfortable providing CLOUDSWAYS_AK to this skill and consider creating a scoped or limited API key for testing. 3) Ensure your environment has curl and jq, and test the script on a non-sensitive account. 4) If you need higher assurance, ask the publisher to correct registry metadata (declare CLOUDSWAYS_AK and required binaries) or provide signed releases/source code. These steps will reduce risk from the observed metadata/code mismatch.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783mw7pyyb0fhgy4dy413v4h84q040

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments