ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Azure Bing Grounding

v1.0.0

Web search grounding via Azure Foundry and Bing Grounding Search tool. Use when the user needs up-to-date information searched from the web via Azure AI Agen...

0· 62·0 current·0 all-time
by@bowang306
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, README, and included Python script all implement an Azure AI Agents + Bing Grounding workflow that matches the skill name/description. However the registry metadata claims no required env vars or primary credential while the SKILL.md and script clearly require FOUNDRY_PROJECT_ENDPOINT and BING_PROJECT_CONNECTION_ID (and optionally AZURE_* credentials). This metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the included script, installing the Azure SDKs, and providing Azure/Azure Foundry/Bing Grounding configuration. The script reads ~/.openclaw/.env and environment variables to obtain configuration/credentials, which is expected for this integration.
Install Mechanism
There is no formal install spec in the registry (instruction-only style), but the SKILL.md requires pip installing azure-identity and azure-ai-agents. These are public Python packages (no direct downloads from arbitrary URLs), so installation risk is moderate and traceable — you should verify package names/versions from PyPI if concerned.
!
Credentials
The script legitimately needs Azure/Founry/Bing connection information and possibly service-principal secrets to authenticate. That said, the registry metadata does not declare these required env vars (FOUNDRY_PROJECT_ENDPOINT, BING_PROJECT_CONNECTION_ID, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET), causing a mismatch. Providing Azure credentials grants this skill access to your Azure resources — ensure least-privilege credentials are used.
Persistence & Privilege
The skill is not always-enabled and does not request any special platform-level persistence. It creates and deletes an agent in your Azure project for each run (the script attempts cleanup), which is consistent with its purpose.
What to consider before installing
This skill appears to implement exactly what it claims (Azure AI Agents + Bing Grounding), but the registry metadata failed to declare required environment variables. Before installing or running: 1) Confirm you are comfortable providing FOUNDRY_PROJECT_ENDPOINT and BING_PROJECT_CONNECTION_ID and, if needed, a service principal (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET). Use a least-privilege service principal. 2) Verify the pip packages (azure-identity, azure-ai-agents) from PyPI and consider pinning versions. 3) Be aware the script reads ~/.openclaw/.env and environment variables — keep only necessary secrets there. 4) Review Azure permissions and billing implications: the script creates agents/operations in your project. 5) If you cannot trust the source, do not provide long‑lived credentials; consider creating a scoped, revocable service principal for testing. If you want me to, I can (a) list the exact env vars the script reads, (b) produce a minimal example service principal permission set, or (c help verify the PyPI packages and current package maintainers.

Like a lobster shell, security has layers — review code before you run it.

latestvk974r65d4s75ay8rdes4y7emw983m770

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments