research-logger
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If those environment variables are present, the skill may use those provider credentials to perform searches and GIF lookups.
The script reads Brave and Giphy API keys from the environment. This is relevant to the stated web/GIF purpose and no hardcoding or logging is shown, but the registry says no env vars or primary credential are required.
BRAVE_KEY="${BRAVE_API_KEY:-}" ... GIPHY_KEY="${GIPHY_API_KEY:-}"Declare BRAVE_API_KEY and GIPHY_API_KEY in metadata, use restricted keys where possible, and avoid running the skill in environments with unrelated secrets.
Research topics and GIF queries may be visible to Brave and Giphy when the relevant API keys are configured.
The user-supplied topic is sent to external Brave and Giphy providers. That is consistent with web research and GIF matching, but SKILL.md describes OpenClaw tools/gifgrep rather than these direct provider calls.
https://api.search.brave.com/res/v1/web/search?q=${ENCODED_Q}&count=5 ... https://api.giphy.com/v1/gifs/search?api_key=${GIPHY_KEY}&q=Do not use sensitive topics unless you are comfortable sending them to those providers, and update SKILL.md to clearly document the actual external API data flow.
Running the skill can create persistent files and Bear notes on the user's machine.
The script writes a local markdown note and invokes grizzly to create a Bear note. This is the core stated function and is user-invoked, but it does mutate local note storage.
OUTPUT="$WORKSPACE_ROOT/notes/research_${SAFE_TOPIC}_${DATE}.md" ... grizzly "${BEAR_ARGS[@]}" < "$OUTPUT"Run it only when you intend to create a note, review generated note contents for accuracy, and keep normal backups of local notes.
The skill may fail or behave differently than expected unless the needed local tools and optional API keys are already available.
The registry metadata under-declares runtime needs compared with SKILL.md and the script, which reference grizzly, curl/python3 usage, and optional API keys. This is a clarity and reproducibility issue, not evidence of hidden installation or malicious code.
Required binaries (all must exist): none ... Required env vars: none ... No install spec — this is an instruction-only skill.
Align registry metadata with the actual requirements, including grizzly and optional BRAVE_API_KEY/GIPHY_API_KEY, and document curl/python3 assumptions.