ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Z.AI Web Search

v1.0.0

AI-optimized web search via Z.AI Web Search API. Returns structured results (title, URL, summary) for LLM processing.

1· 972·6 current·7 all-time
byBartosz Pijet@bartoszpijet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: scripts call Z.AI's web_search API and require ZAI_API_KEY. Required binary (node) is expected and proportional.
Instruction Scope
SKILL.md instructs only running the included node scripts. The extract script fetches arbitrary URLs and strips HTML (intended behavior for extraction). Note: arbitrary URL fetching can reach internal/metadata endpoints if run in an environment with broad network access — this is a normal capability for a URL-extraction tool but worth being aware of.
Install Mechanism
No remote install/downloads or package installs are specified. The skill is instruction+local scripts only (no external archive downloads), minimizing install-time risk.
Credentials
Only ZAI_API_KEY (primary credential) is required, which is appropriate for calling the Z.AI Web Search API. The code also optionally checks Z_AI_API_KEY as a fallback — benign but documented.
Persistence & Privilege
always is false and the skill does not request elevated or cross-skill configuration. It does not persist or modify other skills or agent-wide settings.
Assessment
This skill appears to do what it says: it posts search requests to api.z.ai using ZAI_API_KEY and provides a basic HTML extractor. Before installing, consider: (1) Only provide an API key you control and can rotate; treat it as sensitive. (2) If you run agents in environments with access to internal networks or metadata services, be aware that the extract script can fetch arbitrary URLs — run in a network-restricted/isolated environment if you’re concerned. (3) Source is listed as unknown; if you need higher assurance, verify the publisher (owner ID) or inspect the included scripts yourself (they are short and readable). Rotate or revoke the key if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792tvff1kzgm6zz0rcfk5x4d81epxy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
EnvZAI_API_KEY
Primary envZAI_API_KEY

Comments