ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unifuncs Deep Research

v0.0.7

Use UniFuncs Deep Research API to run in-depth research and generate long-form reports (10,000 words or more). Use this skill when users request deep researc...

0· 1.1k·1 current·1 all-time
byUniFuncs@vinlic
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: the three Python clients call api.unifuncs.com endpoints (create_task, chat/completions, query_task) and implement options for streaming, output length, domain allowlist/blacklist, etc. These requirements are consistent with a deep-research/reporting tool.
Instruction Scope
SKILL.md restricts runtime to running the provided Python scripts (allowed-tools: Bash(python3:*)) and enforces a mandatory second confirmation step before invocation, which is a positive safety measure. The scripts read an API key from UNIFUNCS_API_KEY, perform network requests to api.unifuncs.com, create/read temporary or user-specified stream files, and may spawn subprocesses (deep-research-report.py imports subprocess). The scripts do not appear to access other environment variables or unrelated system configuration, but they do write to arbitrary writable paths if the user supplies a --stream-file path; that could overwrite files if misused. The use of subprocess is present in the code base (truncated portion not visible) — this should be inspected to ensure it doesn't execute arbitrary uncontrolled commands.
Install Mechanism
No install spec (instruction-only with bundled scripts). Nothing is fetched from remote URLs during install; the risk surface is limited to executing the included Python scripts. This is lower-risk than arbitrary remote downloads, but executing bundled code still requires trust in the source.
!
Credentials
The SKILL.md and all three Python files require an API key via the environment variable UNIFUNCS_API_KEY. However, the registry metadata lists 'Required env vars: none' and 'Primary credential: none' — this is an inconsistency. Requesting a single service API key is reasonable for this skill's purpose, but the metadata omission is a coherence problem and could mislead users about required credentials.
Persistence & Privilege
The skill is not always:true and does not claim to persistently modify system or other skills' configuration. It writes temporary/stream files as part of streaming behavior, which is expected for long-running streaming outputs. No privileged system modifications are present in the visible code.
What to consider before installing
This skill appears to implement a legitimate UniFuncs API client for producing long research reports, but note these points before installing: (1) the code and SKILL.md require UNIFUNCS_API_KEY, but the registry metadata incorrectly lists no required env vars — supply only an API key you trust and expect to be used by this skill; (2) the scripts create/read stream files (temp or --stream-file) and will write to any writable path you supply — avoid pointing --stream-file at sensitive locations; (3) deep-research-report.py imports subprocess (the rest of that logic is truncated here) — review the full script to confirm it doesn't execute arbitrary shell commands with user-controlled input; (4) the skill contacts api.unifuncs.com and will send your query and options to that external service — do not send secrets or sensitive data to the skill; (5) the source/homepage are missing, so you should only install if you trust the provider or can audit the full scripts. If you want higher assurance, ask the publisher for a canonical homepage/repo and a clear update to the registry metadata to declare UNIFUNCS_API_KEY as a required credential, and request the full deep-research-report.py content be reviewed for subprocess usage.

Like a lobster shell, security has layers — review code before you run it.

0.0.1vk978tawjdk069et0926v90bqbd80zy0xlatestvk9766gdj8jh5j22y50xv27zrqn83tp6c
1.1kdownloads
0stars
4versions
Updated 8h ago
v0.0.7
MIT-0
UniFuncs@vinlic
0.0.1latest
Download

UniFuncs Deep Research Skill

Use this tool for in-depth analysis and long-form report generation (10,000 words or more). It is suitable when the task requires multiple rounds of searching and reading, or when the user explicitly asks for deep research/deep digging. This is a relatively expensive operation and usually takes 3-10 minutes.

Mandatory second confirmation: Before invoking any Deep Research script (deep-research-report.py, deep-research-create-task.py, etc.), you must pause and get explicit user confirmation in the same conversation after you have summarized the request. In one message, briefly restate: (1) the research topic / question to be sent, (2) that it is long-running (~3–10 minutes) and higher cost than deep search, and (3) any key options you plan to use (e.g. output-type, model) if non-default. Do not run the scripts until the user clearly confirms (e.g. “确认 / 可以 / yes / proceed”). If the user adjusts the topic or options, repeat this confirmation step once more before running.

If the intent is still ambiguous after your summary, ask one short clarifying question before offering the confirmation summary.

First-Time Setup

  1. Go to https://unifuncs.com/account to get your API key.
  2. Set the environment variable: export UNIFUNCS_API_KEY="sk-your-api-key"

When to Use

You need deep, structured research on a topic. You want a report-style output instead of search report, if the user has not explicitly requested a deep research, consider using unifuncs-deep-search instead. Typical completion time is around 3-10 minutes, depending on topic complexity.

Usage Guidelines

  1. Complete Mandatory second confirmation above.
  2. Then use one of the entries below as appropriate.

The skills is split into 3 independent entries:

  • deep-research-report.py - Synchronously gets the research report. Because it can take longer, set a sufficiently large timeout.
  • deep-research-create-task.py - Asynchronously creates a research task and returns a task ID. Keep the task ID for later status/result queries to avoid creating duplicate tasks.
  • deep-research-query-task.py - Queries task status and returns task result/report content.

1) Sync report: deep-research-report.py

python3 deep-research-report.py "query"

2) Async task creation: create_task

python3 deep-research-create-task.py "query"

This returns task_id.

3) Async task query: query_task

python3 deep-research-query-task.py "task_id"

Options

usage: deep-research-report.py [-h] [--model {u1,u1-pro,u2,u3}]
                               [--stream | --no-stream]
                               [--timeout TIMEOUT]
                               [--stream-file STREAM_FILE]
                               [--read-stream-file]
                               [--introduction INTRODUCTION]
                               [--plan-approval]
                               [--reference-style {link,character,hidden}]
                               [--max-depth MAX_DEPTH]
                               [--domain-scope DOMAIN_SCOPE]
                               [--domain-blacklist DOMAIN_BLACKLIST]
                               [--output-type {report,summary,wechat-article,xiaohongshu-article,toutiao-article,zhihu-article,zhihu-answer,weibo-article}]
                               [--output-prompt OUTPUT_PROMPT]
                               [--output-length OUTPUT_LENGTH]
                               [--raw-response]
                               [query]

UniFuncs Deep Research client

positional arguments:
  query                 User query sent to Deep Research.

options:
  -h, --help            show this help message and exit
  --model {u1,u1-pro,u2,u3}
                        Model to use (default: u3).
  --stream              Enable streaming output (default).
  --no-stream           Disable streaming and wait for full response.
  --timeout TIMEOUT     Max streaming wait time in seconds (default:
                        1800).
  --stream-file STREAM_FILE
                        Path to persist/read stream chunks. If omitted,
                        temp file is auto-created when writable.
  --read-stream-file    Read and render already received content from
                        --stream-file, without calling API.
  --introduction INTRODUCTION
                        Researcher role/tone introduction.
  --plan-approval       Generate research plan and wait for approval
                        before execution.
  --reference-style {link,character,hidden}
                        Reference marker style.
  --max-depth MAX_DEPTH
                        Maximum research depth.
  --domain-scope DOMAIN_SCOPE
                        Comma-separated domain allowlist.
  --domain-blacklist DOMAIN_BLACKLIST
                        Comma-separated domain blocklist.
  --output-type {report,summary,wechat-article,xiaohongshu-article,toutiao-article,zhihu-article,zhihu-answer,weibo-article}
                        Desired output style (default: report).
  --output-prompt OUTPUT_PROMPT
                        Custom output prompt template.
  --output-length OUTPUT_LENGTH
                        Expected output length hint (default: 10000).
  --raw-response        Print full API response JSON.

Output Types

  • report - Long-form report(Default)
  • summary - Concise summary
  • wechat-article - WeChat public account article
  • xiaohongshu-article - Xiaohongshu post
  • toutiao-article - Toutiao article
  • zhihu-article - Zhihu article
  • zhihu-answer - Zhihu answer
  • weibo-article - Weibo article

Comments

Loading comments...