ClawHub
Back to skill
v1.1.2

Swiss Phone Directory

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

The skill appears to be a straightforward search.ch directory lookup tool, with expected API-key use and expected external lookup requests.

GuidanceBefore installing, make sure you are comfortable providing a search.ch API key and sending lookup terms such as names, phone numbers, and locations to search.ch. Store the API key carefully, avoid committing it to dotfiles or gateway config, and correct the documented script path if needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md / file manifest
SKILL.md: `python3 scripts/searchch.py search "Migros" --location "Zürich"`
File manifest: `searchch.py (10779 bytes)`

The documentation references `scripts/searchch.py`, while the supplied file is listed as `searchch.py` at the root. This is a coherence issue that could confuse installation or invocation, but it does not show malicious behavior.

User impactThe example commands may fail unless the script path is corrected.
RecommendationUpdate the documentation or file layout so the command path matches the packaged script.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
searchch.py
api_key = get_api_key()
...
params = {
    "was": query,
    "key": api_key,
    "lang": lang,
    "maxnum": min(limit, 200)
}

The code reads the `SEARCHCH_API_KEY` credential and includes it in requests to the search.ch API. This is disclosed and necessary for the stated purpose, but it is still credential use.

User impactThe skill can use your search.ch API key and associated quota when performing lookups.
RecommendationUse a dedicated search.ch API key, avoid committing it to shared files or repositories, and rotate it if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
searchch.py
API_BASE = "https://search.ch/tel/api/"
...
params = {
    "was": query,
    "key": api_key,
    "lang": lang,
    "maxnum": min(limit, 200)
}
...
if location:
    params["wo"] = location
...
with urllib.request.urlopen(url, timeout=15) as response:

Search terms, phone numbers, and optional locations are sent to the external search.ch API. This is clearly aligned with the skill's purpose, but users should understand the data flow.

User impactNames, phone numbers, business categories, or locations entered for lookup may be processed by search.ch.
RecommendationUse the skill only for queries you are comfortable sending to search.ch, and review search.ch API terms and privacy expectations.