Skillv2.1.0

ClawScan security

Metaso Search V2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variable (METASO_API_KEY) are consistent with a search/chat/read API client and do not request unrelated credentials or perform unexpected actions.
Guidance: This skill appears coherent: it requires only METASO_API_KEY and contacts Metaso endpoints (https://metaso.cn). Before installing, confirm you trust the Metaso service and the skill author (repository/homepage is empty), limit the API key's scope if possible, store the key securely, and consider testing in an isolated environment. If you need stronger assurance, ask the publisher for a repository URL or signed package so you can review provenance and updates.

Purpose & Capability: okName/description (Metaso search, web reader, chat) match the actual implementation: the code calls Metaso API endpoints and requires only METASO_API_KEY. No unrelated services, binaries, or config paths are requested.
Instruction Scope: okSKILL.md contains focused runtime instructions and example usage that map directly to the implemented functions. It does not instruct reading arbitrary local files, other environment variables, or exfiltrating data to unexpected endpoints.
Install Mechanism: okThere is no install spec (instruction-only install). Code files are provided but no installer or external download is used; risk from install mechanism is low.
Credentials: okOnly METASO_API_KEY is required and used by the code (Authorization header). The number and nature of environment variables is proportional to the stated purpose.
Persistence & Privilege: okSkill is not forced-always, is user-invocable, and does not request elevated/platform-wide privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) and is not combined with other red flags.