Mysteel_InfoSearch
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—query Mysteel industry news—but users should notice that it uses a local API key and sends search text to Mysteel.
This skill is reasonable to install if you trust the Mysteel API integration. Before use, provide only a dedicated Mysteel API key, protect the local api_key.md file, and avoid sending confidential or sensitive search queries.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms may be visible to the Mysteel service, so sensitive business questions should not be submitted unless the user is comfortable sharing them with that provider.
The script posts the user-provided query text to an external Mysteel API endpoint. This is aligned with the stated search purpose and is not hidden, but users should understand that query text leaves the local environment.
API_URL = "https://mcp.mysteel.com/mcp/info/ai-search/search" ... "text": text
Use the skill only for queries appropriate to send to Mysteel, and avoid including confidential information in search text.
Anyone who can read the local api_key.md file may be able to use the Mysteel API key, and the registry metadata does not flag a primary credential requirement.
The script reads a local API key file and sends that value as the token header to Mysteel. This is expected for an authenticated API client, but it is credential handling that users should notice.
API_KEY_FILE = SKILL_DIR / "references" / "api_key.md" ... "token": api_key
Use a dedicated, least-privilege Mysteel API key, keep references/api_key.md private, do not commit it to shared repositories, and declare the credential requirement in metadata.