Back to skill
Skillv1.0.2
ClawScan security
Zhipu Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 2:33 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable match its stated purpose (a web-search wrapper for Zhipu AI) with no unrelated privileges or suspicious behavior detected.
- Guidance
- This skill sends your search queries (and any optional user_id/request_id you provide) to Zhipu's API (open.bigmodel.cn) using the ZHIPU_API_KEY. Before installing, ensure you trust the Zhipu service to handle queries and any potentially sensitive data, that your API key has appropriate scope/quota, and that network access to the API is acceptable. If you want to avoid linking queries to an identifiable user, don't supply user_id. If you need a deeper audit, review the final portion of the included script (output/truncation area) to confirm it doesn't add unexpected telemetry.
Review Dimensions
- Purpose & Capability
- okName/description (Zhipu web search) align with the single required env var ZHIPU_API_KEY and the script which calls Zhipu's API endpoint (open.bigmodel.cn). There are no unrelated credentials, binaries, or config paths required.
- Instruction Scope
- okSKILL.md and the Python script limit activity to building search requests and parsing responses from the Zhipu API. The instructions and code do not reference or read unrelated files, system paths, or additional environment variables.
- Install Mechanism
- okThere is no install spec (instruction-only skill with an included script). No external downloads or archive extraction are requested, so nothing is written to disk by an installer beyond the included script.
- Credentials
- okOnly ZHIPU_API_KEY is required, which is appropriate for a wrapper that authenticates to Zhipu's service. No other secrets or unrelated credentials are requested.
- Persistence & Privilege
- okSkill is not declared always:true and does not attempt to modify other skills or system-wide settings. Default autonomous invocation settings remain, which is normal for skills.