Perplexity

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward Perplexity search wrapper that uses the expected API key and sends supplied queries to Perplexity, with only minor credential and provenance notes.

Before installing, make sure you are comfortable sending your search queries to Perplexity and using a Perplexity API key with this skill. The reviewed code does not show hidden exfiltration, persistence, or destructive behavior.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Search requests may be associated with or billed to the user's Perplexity API account.

Why it was flagged

The script reads the user's Perplexity API key from the environment and uses it to authenticate to Perplexity. This is expected for the skill, but it delegates account/API authority to the script.

Skill content

const apiKey = process.env.PERPLEXITY_API_KEY; ... "Authorization": `Bearer ${apiKey}`

Recommendation

Use a Perplexity API key intended for this purpose, monitor usage, and revoke or rotate it if you stop using the skill.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You are relying on the registry-provided files rather than a clearly traceable upstream project.

Why it was flagged

The registry metadata does not identify a source repository or package origin. The included code is reviewable and clean, but provenance is not traceable from the supplied artifacts.

Skill content

Source: unknown

Recommendation

Install only if you trust the registry entry; prefer a version with a verifiable source repository if stronger provenance is important.