Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
smart-search
v1.0.0Intelligent web search routing across Gemini and Brave APIs with quota management, circuit breaker, and web_fetch fallback. Routes finance queries to Gemini,...
⭐ 0· 104·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to route searches via Gemini and Brave APIs and to use a shared quota file. The implementation expects GEMINI_API_KEY and BRAVE_API_KEY to live in the top-level env block of ~/.openclaw/openclaw.json and uses a shared quota file under ~/.openclaw/workspace/shared. However the registry metadata declares no required environment variables or primary credential — that is inconsistent and under-declares the sensitive credentials and global config access the skill needs.
Instruction Scope
SKILL.md and index.js instruct the agent to read the global openclaw.json, read/write a shared quota JSON at ~/.openclaw/workspace/shared/search-quota.json, and log all searches to a logs directory next to the quota file. That means user queries (possibly sensitive) are persisted to disk and are visible to other agents/processes that can read that directory. The skill also performs web_fetch fallbacks and calls external providers — expected for this skill, but the persistent logging and global config reads expand the data surface beyond simple per-agent ephemeral operations.
Install Mechanism
There is no remote download; the repository includes code and two shell scripts (setup.sh and reset-quota.sh). setup.sh runs 'npm install' (traceable dependency 'proper-lockfile') and creates ~/.openclaw workspace and quota file. This is moderate-risk because code will be executed locally and npm install runs arbitrary package scripts, but no external ad-hoc binary download URLs or URL shorteners are used.
Credentials
Although the registry lists no required env vars, the code reads config.env.GEMINI_API_KEY and config.env.BRAVE_API_KEY from the global openclaw.json. It also respects SEARCH_QUOTA_PATH and OPENCLAW_CONFIG_PATH overrides. Reading the entire openclaw.json can expose other top-level env secrets stored there. The skill therefore requires access to sensitive API keys and a shared filesystem location — these are not declared in the metadata and are broader than indicated.
Persistence & Privilege
The skill persists live quota state and search logs to a shared workspace under the user's home directory and uses file locking to coordinate concurrent access. Persisting full search logs (and potentially query results) to a shared file increases the risk of leaking sensitive queries to other local agents or users. The skill does not request 'always: true' and does not modify other skills, but its write access to a shared path and global config file is a privileged capability that should be acknowledged.
What to consider before installing
This skill appears to implement what it claims, but it under-declares sensitive requirements. Before installing: 1) Confirm you are willing to store API keys (GEMINI_API_KEY, BRAVE_API_KEY) in your global ~/.openclaw/openclaw.json and understand that the skill will read that file. 2) Review and restrict filesystem permissions on ~/.openclaw/workspace/shared so other users/processes cannot read logs or quota; the skill will write search logs and a shared quota file there. 3) If you keep other secrets in openclaw.json, move them or use a separate config to avoid exposing them. 4) Audit index.js locally (it’s included) to ensure there are no unexpected external endpoints; run setup.sh in a controlled environment since npm install will execute dependency install scripts. 5) Ask the author to update registry metadata to declare required env vars (GEMINI_API_KEY, BRAVE_API_KEY) and to document retention/rotation policy for logs. If you need stricter isolation, run the skill under a dedicated user account or sandbox.index.js:22
Environment variable access combined with network send.
index.js:234
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972vp3qms2ek693ewj0qy9c6h832wy2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
OSmacOS · Linux