Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Anspire Search
v1.0.0Anspire Search: real-time web search for news, events & time-sensitive facts. Use scripts/search.py (Python) or scripts/search.sh (shell) for easy execution....
⭐ 0· 39·0 current·0 all-time
byAnspire@anspire-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code, README, and SKILL.md all require an ANSPIRE_API_KEY and call https://plugin.anspire.cn, which is coherent with a web-search skill. However the registry metadata lists 'Required env vars: none', creating an inconsistency between declared requirements and the actual files/instructions. The skill source and homepage are also 'unknown' / missing in registry metadata, reducing provenance.
Instruction Scope
SKILL.md instructs the agent to proactively ask for the user's API key and then 'automatically configure it persistently' by detecting the shell and writing export lines into ~/.zshrc, ~/.bashrc, or running setx on Windows and sourcing the files. Writing persistent environment configuration and running source are within the plausible setup for an API-backed search tool, but it's intrusive and elevates risk if done without explicit, line-by-line user confirmation. Aside from persistence, runtime behavior is limited to calling the plugin.anspire.cn API (curl/urllib), which matches the purpose.
Install Mechanism
No install spec; skill is instruction + two small wrapper scripts. There are no downloads from unknown URLs and no archives to extract. This is low-risk from an install perspective.
Credentials
The only secret the skill needs is ANSPIRE_API_KEY, which is proportionate to a hosted search API. However the registry metadata omits this required env var while SKILL.md and both scripts enforce it—this metadata mismatch is an incoherence the user should notice. Also the SKILL.md's insistence on persistent storage (and instructions to never mask or truncate the key) increases the potential exposure of that secret.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills, which is good. However the runtime instructions encourage or automate persistent modification of the user's shell configuration (and sourcing it). That grants the skill the capability to change user environment across sessions; it's reasonable for an API-key setup but should only be done with explicit user approval and with clear, visible commands before writing.
What to consider before installing
This skill appears to be a straightforward wrapper around a hosted search API (plugin.anspire.cn) and requires an ANSPIRE_API_KEY—but the registry metadata does not declare that requirement and the SKILL.md tells the agent to write the key persistently into your shell config. Before installing or giving a key: 1) Confirm you trust the domain (https://plugin.anspire.cn) and the skill author (source/homepage is missing in registry). 2) Prefer to set the API key yourself manually (or only for the current session) rather than letting the agent auto-write to your ~/.bashrc / ~/.zshrc; request the exact command the skill will run and review it line-by-line. 3) Use a least-privilege/rotatable API key if possible and consider storing it in a system credential manager instead of plaintext rc files. 4) If you refuse persistent storage, the skill still works with a session-only export (both scripts check ANSPIRE_API_KEY). 5) If you are concerned about provenance, ask for a verifiable homepage or repository before proceeding. If you want, I can show the exact commands the skill would run to persist the key so you can approve or edit them first.Like a lobster shell, security has layers — review code before you run it.
latestvk970cw08dfkt8cyb3e39cg1qq984gpga
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔎 Clawdis
Any bincurl, python3