ClawHub

Kagi

v0.1.0

Perform web searches and generate summarized answers with citations using the Kagi API and FastGPT for higher-quality results or rate-limit fallback.

0· 1.4k·4 current·4 all-time
by@michaelasper
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The included Python scripts and SKILL.md clearly implement a Kagi Search + FastGPT client (calling https://kagi.com/api/v0). That matches the implied purpose, but the skill metadata declares no required environment variables or primary credential even though the code requires a KAGI_API_TOKEN (and also accepts KAGI_API_KEY as a fallback). The missing declaration is an incoherence between purpose and declared requirements.
Instruction Scope
SKILL.md instructs the user to export KAGI_API_TOKEN and run the provided scripts; the runtime instructions stay within the advertised scope (making HTTP calls to the Kagi API and printing/summarizing results). There is no instruction to read unrelated files or contact endpoints other than kagi.com. Note: the instructions assume an API token even though metadata doesn't list it.
Install Mechanism
This is an instruction-only skill with small local Python scripts and no install spec or external downloads. No archive extraction or remote installers are used, which minimizes install risk.
!
Credentials
Although the only secret the code needs is the KAGI_API_TOKEN (reasonable for this purpose), the skill metadata lists zero required env vars and no primary credential. The code also accepts an alternate env name (KAGI_API_KEY). The omission in metadata is a discrepancy that could confuse users and permissioning systems; otherwise the requested credential is proportional to the skill's functionality and is only sent to Kagi's API.
Persistence & Privilege
Skill flags are normal (not always:true). The skill does not request persistent system privileges, modify other skills, or write installers; it simply contains local scripts invoked at runtime.
What to consider before installing
This skill appears to be a legitimate Kagi API client, but the package metadata fails to declare the required API token. Before installing: 1) Treat the KAGI_API_TOKEN as a secret — the scripts will send it to https://kagi.com/api/v0, which is expected for this skill. 2) Prefer the author update the skill metadata to list KAGI_API_TOKEN (and mark it as the primary credential) so automated permission checks are accurate. 3) Review the included scripts yourself (they are short and readable) to confirm there are no extra endpoints or unexpected behavior. 4) Use a token with limited scope if possible and rotate it if you test the skill on sensitive systems. If you cannot or do not want to provide an API token, do not install/use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c665ssy8gfg5xb0ppvcp0x180p1yz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments