Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Search
v0.1.0Auto-generated skill for google-search tools via OneKey Gateway.
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and SKILL.md implement a OneKey Gateway-backed 'google_search' tool (calling a OneKey router that can in turn call Google Custom Search). That aligns with the stated purpose. However the registry metadata at the top claims 'Required env vars: none' and 'Primary credential: none' while SKILL.md declares DEEPNLP_ONEKEY_ROUTER_ACCESS as a required API key — an inconsistency that should be resolved.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the OneKey Gateway (via the CLI or a small Python script). The Python script only reads the provided --data or a JSON file and uses the DEEPNLP_ONEKEY_ROUTER_ACCESS env var. No unrelated system files, other env vars, or unexpected endpoints are referenced in the instructions. Important caveat: SKILL.md and the script route queries through OneKey Gateway — your query payloads will be sent to that service (and onward to commercial APIs).
Install Mechanism
There is no platform-level install spec (skill is instruction-only) which is low-risk, but SKILL.md recommends installing npm package @aiagenta2z/onekey-gateway and Python package ai-agent-marketplace. These are standard registry installs (npm/pip) but the manifest provides no provenance or homepage for the skill owner; you should verify the source of those packages before installing.
Credentials
The only secret required by the SKILL.md/script is DEEPNLP_ONEKEY_ROUTER_ACCESS, which is proportionate for a gateway-based search tool. However the registry metadata does not list this required env var (incoherent declarations). Also the script falls back to a shared demo key 'BETA_TEST_KEY_MARCH_2026' if you don't set your own key — using the fallback will route your queries through a shared account and may expose query contents to the gateway operator.
Persistence & Privilege
The skill does not request permanent presence (always: false). It's instruction-only with a small script that runs on demand and does not modify other skills or system-wide settings.
What to consider before installing
Before installing or running this skill: (1) verify the owner and package provenance for @aiagenta2z/onekey-gateway and ai-agent-marketplace (check PyPI/GitHub and package authors). (2) Do not use sensitive secrets or private data with the default demo key — set DEEPNLP_ONEKEY_ROUTER_ACCESS to your own trusted key only if you trust the OneKey Gateway operator. (3) Confirm whether the registry metadata should declare the required env var (the manifest and SKILL.md disagree). (4) If you must test, run in an isolated environment or sandbox and inspect network traffic to understand where queries are sent. (5) If you need higher assurance, request the maintainer to provide source repository/homepage and to remove the fallback demo key behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97e8gvjr2a4v7rac0xywpd7ks83cy1m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.