Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UniFuncs Deep Search
v0.0.5Use UniFuncs Deep Search API for fast, comprehensive information gathering. Use this skill when users ask for deep search, broad investigation, or in-depth t...
⭐ 0· 1k·1 current·1 all-time
byUniFuncs@vinlic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, and included Python scripts are coherent: they implement a UniFuncs Deep Search client that calls https://api.unifuncs.com/deepsearch/* endpoints. That capability matches the stated purpose. However, the skill package metadata declares no required environment variables or primary credential while both SKILL.md and the code require an API key (UNIFUNCS_API_KEY). The missing declaration in the registry metadata is an inconsistency and reduces trust.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python scripts and to set UNIFUNCS_API_KEY; the scripts perform only network calls to the UniFuncs API, stream output to temp or user-specified files, and print results. These actions are within the stated 'deep search' scope. Two points to watch: (1) options like --push-to-share and --set-public can publish results to the service's share space, and (2) streaming writes/read stream-file contents to disk (temp or user-specified paths). Both behaviors can expose query contents if the user provides sensitive data.
Install Mechanism
No install spec is present (instruction-only with included scripts). That is lower risk because nothing is downloaded or executed from an external arbitrary URL on install. The code itself is bundled and uses only the Python standard library (urllib, tempfile, etc.).
Credentials
The code and SKILL.md require a UNIFUNCS_API_KEY, but registry metadata lists no required env vars or primary credential — this mismatch is a notable red flag. Aside from that API key, no other credentials are requested. Because queries (and any sensitive content included in them) will be transmitted to a third-party API, the API key should be declared by the publisher, and users should ensure the key has appropriate scope/limits.
Persistence & Privilege
The skill is not marked always:true and does not request permanent system privileges. It writes ephemeral stream files to temp or user-specified paths and does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to be a legitimate client for UniFuncs Deep Search, but the package metadata fails to declare the required UNIFUNCS_API_KEY — the SKILL.md and the bundled scripts do expect that API key. Before installing: (1) avoid sending passwords, secrets, or personally-identifiable data as query text (the queries and results are sent to a third-party API and may be published if options like push-to-share / set-public are used); (2) verify the publisher/source (there's no homepage or repository linked); (3) confirm you are comfortable storing/using an external API key and that the key has limited scope and revocation ability; (4) ask the publisher to update the manifest to declare UNIFUNCS_API_KEY as a required credential; and (5) if in doubt, inspect the included Python files (they are bundled) and test with non-sensitive queries first.Like a lobster shell, security has layers — review code before you run it.
0.0.1vk972enxt8t5m2g7c7skz7dn5gs80ydhplatestvk974dm77akm869f333d93gz42h83pxfr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.