Skillv1.0.1

ClawScan security

元宝搜索标准版Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 2:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment variable line up with a web-search integration to Tencent's WSA API and do not request unrelated credentials or perform unexpected actions.
Guidance: This skill is a straightforward client for Tencent's WSA search API and only needs the single API key you supply. Before installing: confirm you trust TencentCloud for sending queries and receiving snippets, place the API key in a restricted account with limited quota, monitor usage/billing, and avoid putting highly sensitive credentials into this skill's environment. If you need stricter isolation, run the script in a sandboxed environment or dedicated runtime.

Purpose & Capability: okName/description say it's a TencentCloud Web Search (WSA) integration. The only required binary is python3 and the only required env var is TENCENTCLOUD_WSA_APIKEY — both are appropriate and proportional to implementing a simple search client.
Instruction Scope: okSKILL.md instructs setting the API key env var and running scripts/websearch.py with query/freshness/site/mode parameters. The script only builds a request to api.wsa.cloud.tencent.com, parses the response, and prints results — it does not read other files, other env vars, or exfiltrate data to unexpected endpoints.
Install Mechanism: okNo install spec — instruction-only plus a small Python script bundled with the skill. No third-party downloads or archive extraction are performed.
Credentials: okOnly TENCENTCLOUD_WSA_APIKEY is required and used directly as a Bearer token to call the Tencent WSA endpoint. There are no unrelated secrets or multiple credentials requested.
Persistence & Privilege: okalways:false and the skill does not attempt to persist itself, modify other skills, or change system-wide configs. It runs as a simple command-line client.