zpw-mianfei-web
WarnAudited by ClawScan on May 10, 2026.
Overview
This search skill is small, but it tells the agent to run a shell curl command with the user's search text inserted unsafely and sent to a fixed private HTTP address.
Review carefully before installing. If you still want this functionality, first verify that 192.168.199.100:8080 is a search service you trust, and require the skill to encode the query safely instead of placing raw user text into a shell command.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed search query could cause the agent to run unintended local shell commands instead of only performing a search.
The search query is extracted from the user and inserted directly into a shell command. The artifact does not require URL encoding or safe argument construction, so a query containing a single quote or shell metacharacters could alter the command the agent runs.
1. 提取搜索关键词 ... 2. 执行命令: curl -s 'http://192.168.199.100:8080/search?q={{query}}\&format=json'Do not install unless the command is changed to use a safe HTTP client/tool call with proper URL encoding and no shell interpolation of raw user input.
Your search terms would be sent over unencrypted HTTP to whatever host is reachable at 192.168.199.100:8080 on your network, which may not be the intended search service.
The skill relies on a hardcoded private-network HTTP service, but the artifacts provide no homepage, source, install spec, or configuration guidance explaining who operates that service or how the user should verify it.
curl -s 'http://192.168.199.100:8080/search?q={{query}}\&format=json'Only use this if you control or trust the service at that address; prefer a configurable, documented endpoint over a hardcoded private IP.