ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

desearch-skill

v1.0.0

调用Zeelin Deep Research API进行深度研究任务。完全异步处理:提交任务后立即返回,后台进程自动确认大纲并定时检查任务状态,任务完成后自动保存md文件。自动配置定时通知(每2分钟检查),任务完成后主动通知用户。使用前必须先询问用户思考模式和搜索范围。

0· 384·2 current·2 all-time
by@angelandpeiqi

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for angelandpeiqi/desearch-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "desearch-skill" (angelandpeiqi/desearch-skill) from ClawHub.
Skill page: https://clawhub.ai/angelandpeiqi/desearch-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install angelandpeiqi/desearch-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install desearch-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description state it calls Zeelin Deep Research API — the code does call desearch.zeelin.cn which matches the purpose. However the skill metadata declares no required environment variables/credentials while every script expects an API key (ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). That mismatch between declared requirements and actual runtime needs is incoherent and could surprise users. Also the scripts use the OpenClaw 'cron' CLI to create scheduled jobs and send notifications to a hard-coded dingtalk recipient ID (0211560138072828) which is not explained in the description and is unexpected for a research-only skill.
!
Instruction Scope
SKILL.md instructs asynchronous submission and periodic checks — consistent with the code. But there are contradictions: SKILL.md says it will check every 30s and cron every 2 minutes / every 1 minute in different places; it claims results are saved to /tmp/ while code writes to the skill's reports directory (~/.openclaw/.../reports). The SKILL.md also promises automatic 'active' notifications; the code implements this by creating an openclaw cron job that targets a specific dingtalk channel/recipient. Creating persistent scheduled jobs and sending outbound notifications is within the broad stated purpose, but the act of pushing notifications to a hard-coded external recipient is not documented in the skill metadata or given as a configurable option — that's scope creep and privacy/exfiltration risk.
Install Mechanism
No remote install/downloads or extract operations are present; source is included as local scripts and INSTALL.md describes manual copy. There is no install spec that fetches arbitrary code from external URLs. From an installation perspective this is low risk — but because code is shipped with the skill, users should still inspect it before running.
!
Credentials
Registry metadata lists no required env vars or primary credential, but the code requires an API key (reads ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). That is a substantive credential requirement that wasn't declared. Additionally, the add_cron_job call hard-codes a notification channel ('dingtalk') and a recipient ID, which is unrelated to the declared purpose and could result in automatic outbound notifications (and potentially data leakage) to an external account.
!
Persistence & Privilege
The skill will create a persistent cron job through the openclaw CLI (openclaw cron add) to perform periodic checks and send notifications. It also writes status, PID, logs, report files, and may remove its cron job later. 'always' is false, and autonomous invocation is default (not grounds for flagging alone), but creation of scheduled jobs and hard-coded outbound notification targets increases persistence and blast radius — especially given the unexplained external recipient.
What to consider before installing
This skill appears to implement the advertised async Zeelin research flow, but several red flags deserve action before installing: 1) The metadata claims no credentials, but the scripts require a Zeelin API key (via ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). Expect to provide that key and store it securely (prefer the local config file with restrictive permissions). 2) Inspect and remove or change the hard-coded notification recipient in async_runner.py (the openclaw cron add call uses channel 'dingtalk' and --to '0211560138072828'). That behavior could send notifications or commands to a third-party account you do not control — replace with your own destination or remove automatic outbound notifications. 3) Verify how your OpenClaw 'cron' subsystem behaves: what content is sent when cron triggers, who receives it, and whether cron execution will expose full report contents externally. 4) Note the docs/instruction inconsistencies (cron interval and save paths); test in a safe environment first (use a dummy API key and run locally) to confirm where files are saved and what is transmitted. 5) If you plan to use this skill, run the scripts under a limited user account, inspect logs/reports directory (~/.openclaw/.../reports) for unexpected files, and avoid setting ZEELIN_API_KEY as a global environment variable on multi-user systems. If you cannot confirm or remove the hard-coded notification target and are uncomfortable with automatic outbound notifications, do not install or run the cron-creation portions of the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9796dwq1dez29n07bga7dz0th82c1h6
384downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
@angelandpeiqi
latest
Download

Zeelin Deep Research Skill

本skill用于调用Zeelin Deep Research API执行深度研究任务,采用完全异步处理模式。

⚠️ 重要:使用前必须先询问用户

当用户要求进行研究任务时,必须先询问以下信息

  1. 思考模式(必选):

    模式说明适用场景
    smart普通模式快速简单的问题
    deep深度模式 (~5000字)论文、竞品调研、中度报告
    major专家模式 (~10000+字)深度研究报告

  2. 搜索范围(必选):

    范围说明
    web全网搜索
    academic学术搜索
    selected精选

  3. 研究主题(必选):用户想要研究的具体问题

配置 API Key

方式1:命令行设置(推荐)

python3 scripts/async_runner.py --set-key "YOUR_API_KEY"

方式2:配置文件

echo '{"api_key": "YOUR_API_KEY"}' > ~/.openclaw/zeelin-config.json

获取 API Key:https://desearch.zeelin.cn

使用方法

1. 检查 API Key

python3 scripts/async_runner.py --check-key

2. 提交任务

cd ~/.openclaw/workspace/skills/zeelin-deep-research
python3 scripts/async_runner.py -q "研究主题" -t deep -sr web

功能特性

  1. 异步提交:提交任务后立即返回,不阻塞
  2. 自动确认大纲:后台进程自动调用 confirmOutline
  3. 定时检查:每30秒检查一次任务状态
  4. 自动通知:cron 定时(每2分钟)检查任务完成状态,任务完成后主动通知用户
  5. 自动保存:完成后自动保存 md 文件到 /tmp/

结果文件

任务完成后,md 文件自动保存到:

~/.openclaw/workspace/skills/zeelin-deep-research/reports/zeelin_主题_时间戳.md

Cron 定时器

  • 间隔:每1分钟
  • 功能:检查任务完成状态
  • 通知:任务完成后主动发送消息给用户

Comments

Loading comments...