ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Research Tool

v0.1.5

Search the web using LLMs via OpenRouter. Use for current web data, API docs, market research, news, fact-checking, or any question that benefits from live i...

0· 699·1 current·1 all-time
by@aaronn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (web research via OpenRouter) align with required items: the skill needs the research-tool CLI binary and an OPENROUTER_API_KEY. The README/metadata references a GitHub repo, which is consistent with a third-party CLI wrapper.
Instruction Scope
SKILL.md contains only instructions to run the research-tool CLI (sessions_spawn/exec) and how to set flags; it does not instruct reading unrelated local files or secrets. It does reference optional env vars (RESEARCH_EFFORT, RESEARCH_MODEL) that are not listed in requires.env — these are configuration knobs, not extra secrets. It also warns not to set exec timeout (operational guidance) which is unusual but not a security issue by itself.
Install Mechanism
The skill is instruction-only (no install spec). SKILL.md suggests installing via `cargo install openclaw-search-tool`, which is a reasonable, traceable install mechanism for a Rust-based CLI. The registry did not include an automated install step; that's low risk but means users should verify the binary source themselves before installing.
Credentials
Only OPENROUTER_API_KEY is required (declared as primary credential), which is proportional to a tool that talks to OpenRouter. The docs mention additional optional env vars (RESEARCH_MODEL, RESEARCH_EFFORT) not declared in requires.env — these are non-sensitive configuration items. Users should remember the API key grants access/billing on OpenRouter and therefore is sensitive.
Persistence & Privilege
The skill does not request always:true or any system-wide config paths and does not attempt to persist beyond normal CLI usage. disable-model-invocation is false (normal) — the skill can be invoked by the agent but has no elevated installation privileges.
Assessment
This skill appears to do what it says: run a CLI that queries OpenRouter and returns citation-backed answers. Before installing: (1) verify the origin of the research-tool binary (inspect the GitHub repo or crate) because the CLI will send your queries to OpenRouter; (2) treat OPENROUTER_API_KEY as a secret (it enables access and billing on your OpenRouter account); (3) avoid sending sensitive personal or proprietary data through the tool unless you trust OpenRouter's handling and your account settings; (4) follow the author's recommendation to run it in a sub-agent so your main session doesn't block; and (5) if you want stronger assurance, review the CLI source code or build from source rather than running a prebuilt binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d9dbqf9zeqcxzxttzpqxc9181b4x4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsresearch-tool
EnvOPENROUTER_API_KEY
Primary envOPENROUTER_API_KEY

Comments