Kiro Search Aggregator
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal search-aggregation skill, but it sends queries to third-party search APIs, uses provider API keys, and stores retrieved results locally.
This skill looks coherent for multi-source search. Before installing, be aware that queries are sent to third-party providers, API keys are read from the environment, and generated briefs may include untrusted web or social content. Use least-privileged keys and avoid private or sensitive queries.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your search terms and selected source requests may be sent to Google/Serper, SerpAPI, and X depending on which sources are used.
The script sends search requests to multiple external provider APIs. This is disclosed and aligned with the skill's search-aggregation purpose, but users should avoid sending sensitive private queries.
SERPER_BASE = "https://google.serper.dev"; SERPAPI_BASE = "https://serpapi.com/search.json"; X_RECENT_SEARCH = "https://api.x.com/2/tweets/search/recent"
Use only queries you are comfortable sharing with those providers, and select only the sources you need.
Installing and using all sources may require giving the runtime access to search-provider credentials, including an X bearer token.
The skill requires or uses provider API credentials. This is expected for the stated integrations, and the visible code uses them only for the corresponding search API calls.
`SERPER_API_KEY` for `google`, `youtube`; `SERPAPI_API_KEY` for `scholar`; `X_BEARER_TOKEN` for `x`
Provide least-privileged API keys where possible, rotate them if exposed, and omit keys for sources you do not intend to use.
Generated search briefs may contain untrusted web or social-media text that should not be treated as instructions to the agent.
The Markdown output includes snippets from external search and social results. These retrieved snippets are untrusted content and could contain misleading text if reused as agent context.
lines.append(f" - {row['snippet'][:260]}")Treat output files as search results, not trusted instructions, and verify important claims before acting on them.
It may be harder to verify who maintains the skill or compare the installed artifact against an upstream release.
The registry metadata does not identify a source repository. The visible code is simple and purpose-aligned, but provenance is less clear than with a verifiable upstream source.
Source: unknown
Prefer verified sources when available, and review the script before providing API credentials.