ClawHub
Back to skill
v0.1.0

Simpsons Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This skill appears benign: it searches public Simpsons script data with disclosed Python helper scripts and local caches, without requesting credentials or privileged access.

GuidanceInstall if you are comfortable with bundled Python helpers fetching Springfield! Springfield! pages and storing local cache/index files in the skill directory. Avoid the optional build_corpus and related build commands if you do not want network downloads or persistent local script caches.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none
No install spec — this is an instruction-only skill.

The registry does not provide an external source repository or install specification, even though the skill includes helper scripts. This is a provenance/metadata note, not evidence of hidden installation behavior.

User impactYou have less external provenance information for the bundled scripts than you would with a linked repository.
RecommendationReview the bundled scripts before relying on the optional helper commands, especially if installing from an unfamiliar publisher.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
To build the stronger corpus cache:

```bash
python3 scripts/build_corpus.py
python3 scripts/build_search_index.py
```

The skill documents local Python command execution for optional corpus/index building. This is expected for the search feature and is user-directed, but it is still local code execution.

User impactIf you or your agent runs the helper commands, they will execute bundled Python code on your machine.
RecommendationOnly run the helper scripts if you want the local corpus/search-index features; otherwise use the provided local index and avoid the build commands.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
- optionally build a local searchable corpus cache for better quote accuracy
- fetch individual script pages when needed or while building the corpus
- Be explicit when the source appears user-maintained or imperfect.

The skill can persist and reuse fetched third-party script content as a local corpus. The artifacts acknowledge source imperfection and instruct short, source-linked excerpts, which keeps this purpose-aligned.

User impactAnswers may be based on cached third-party script text that could be incomplete, inaccurate, or stale.
RecommendationTreat quote matches as sourced references rather than authoritative canon; refresh or avoid the local corpus if you do not want cached website content.