ClawHub

global-search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This search skill is transparent about sending queries to an external service with an API key, but users should avoid sensitive searches and verify the provider before use.

Before installing, confirm you trust clb.ciglobal.cn, configure the API key securely, and avoid sending passwords, tokens, personal identifiers, confidential documents, or internal business details in search queries.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Medium
What this means

Search terms, including any sensitive text the user includes, may be sent to and retained by the external provider.

Why it was flagged

The skill discloses that user queries leave the local environment and go to a third-party provider, where they may be linked to an account.

Skill content
This skill sends the user’s search query to an external web search service at `https://clb.ciglobal.cn/web_search` ... Queries are transmitted to a third-party service and may be associated with your account
Recommendation

Use this only for non-sensitive searches unless the user explicitly confirms, and verify the provider’s privacy and retention practices.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone with the API key could potentially make requests as the user’s account for this search service.

Why it was flagged

The skill requires an account API key for authentication; this is expected for the service but is still a sensitive credential.

Skill content
`GLOBAL_SEARCH_API_KEY`: API key obtained from https://clb.ciglobal.cn/apiKey/login
Recommendation

Store the key only in an environment variable or credential manager, do not hardcode it, and rotate it if it is exposed.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A comprehensive search may create more requests, account logs, and exposure of the same query than a simple lookup.

Why it was flagged

The comprehensive-search script turns one search into four parallel API requests to the provider-side search modes.

Skill content
tasks = [fetch_data(semaphore, i) for i in range(1,5)] ... async with session.post(API_URL, headers=headers,data=data) as response
Recommendation

Use comprehensive search only when broad coverage is actually requested, and prefer the smallest necessary query scope.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Users or installers may not see the credential requirement until reading the skill documentation.

Why it was flagged

The registry requirements do not declare the API key that the skill documentation says is required, which is a packaging/metadata inconsistency.

Skill content
Required env vars: none ... Env var declarations: none ... Primary credential: none
Recommendation

Update the registry metadata to declare `GLOBAL_SEARCH_API_KEY` and the external service dependency clearly.