Skillv1.0.0

ClawScan security

desearch-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 3:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (submit async research tasks to Zeelin and save results), but there are multiple mismatches between its metadata/instructions and the code — most notably a hidden requirement for an API key, inconsistent docs about scheduling/saving, and a hard-coded notification target that could cause data to be sent off to a third party.
Guidance: This skill appears to implement the advertised async Zeelin research flow, but several red flags deserve action before installing: 1) The metadata claims no credentials, but the scripts require a Zeelin API key (via ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). Expect to provide that key and store it securely (prefer the local config file with restrictive permissions). 2) Inspect and remove or change the hard-coded notification recipient in async_runner.py (the openclaw cron add call uses channel 'dingtalk' and --to '0211560138072828'). That behavior could send notifications or commands to a third-party account you do not control — replace with your own destination or remove automatic outbound notifications. 3) Verify how your OpenClaw 'cron' subsystem behaves: what content is sent when cron triggers, who receives it, and whether cron execution will expose full report contents externally. 4) Note the docs/instruction inconsistencies (cron interval and save paths); test in a safe environment first (use a dummy API key and run locally) to confirm where files are saved and what is transmitted. 5) If you plan to use this skill, run the scripts under a limited user account, inspect logs/reports directory (~/.openclaw/.../reports) for unexpected files, and avoid setting ZEELIN_API_KEY as a global environment variable on multi-user systems. If you cannot confirm or remove the hard-coded notification target and are uncomfortable with automatic outbound notifications, do not install or run the cron-creation portions of the skill.

Review Dimensions

Purpose & Capability: concernName/description state it calls Zeelin Deep Research API — the code does call desearch.zeelin.cn which matches the purpose. However the skill metadata declares no required environment variables/credentials while every script expects an API key (ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). That mismatch between declared requirements and actual runtime needs is incoherent and could surprise users. Also the scripts use the OpenClaw 'cron' CLI to create scheduled jobs and send notifications to a hard-coded dingtalk recipient ID (0211560138072828) which is not explained in the description and is unexpected for a research-only skill.
Instruction Scope: concernSKILL.md instructs asynchronous submission and periodic checks — consistent with the code. But there are contradictions: SKILL.md says it will check every 30s and cron every 2 minutes / every 1 minute in different places; it claims results are saved to /tmp/ while code writes to the skill's reports directory (~/.openclaw/.../reports). The SKILL.md also promises automatic 'active' notifications; the code implements this by creating an openclaw cron job that targets a specific dingtalk channel/recipient. Creating persistent scheduled jobs and sending outbound notifications is within the broad stated purpose, but the act of pushing notifications to a hard-coded external recipient is not documented in the skill metadata or given as a configurable option — that's scope creep and privacy/exfiltration risk.
Install Mechanism: okNo remote install/downloads or extract operations are present; source is included as local scripts and INSTALL.md describes manual copy. There is no install spec that fetches arbitrary code from external URLs. From an installation perspective this is low risk — but because code is shipped with the skill, users should still inspect it before running.
Credentials: concernRegistry metadata lists no required env vars or primary credential, but the code requires an API key (reads ZEELIN_API_KEY or ~/.openclaw/zeelin-config.json). That is a substantive credential requirement that wasn't declared. Additionally, the add_cron_job call hard-codes a notification channel ('dingtalk') and a recipient ID, which is unrelated to the declared purpose and could result in automatic outbound notifications (and potentially data leakage) to an external account.
Persistence & Privilege: concernThe skill will create a persistent cron job through the openclaw CLI (openclaw cron add) to perform periodic checks and send notifications. It also writes status, PID, logs, report files, and may remove its cron job later. 'always' is false, and autonomous invocation is default (not grounds for flagging alone), but creation of scheduled jobs and hard-coded outbound notification targets increases persistence and blast radius — especially given the unexplained external recipient.