ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Turing Tavily Web Search

v1.0.0

Search the web via the Turing Tavily proxy. Use when the user asks to search the web, look up real-time information, research current events, or needs up-to-...

0· 234·1 current·1 all-time
by@capreaaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement a web search via a Turing Tavily proxy and require TURING_API_KEY, TURING_CLIENT, TURING_ENVIRONMENT — these credentials are proportional to the stated purpose. However, the registry-level metadata provided earlier declares no required env vars or primary credential, which is inconsistent with the skill's actual behavior.
Instruction Scope
SKILL.md instructs running the bundled script and configuring credentials in ~/.openclaw/openclaw.json (skills.entries.turing-skills.env). The script only reads that file and sends search queries to the Turing proxy; it does not attempt to read other system files. This scope is appropriate, but the reliance on a user config file (instead of environment variables at runtime) should be noted.
Install Mechanism
There is no install spec (lowest install risk) and no network-downloaded code. However, the bundled script uses the Python 'requests' package but the skill does not declare this dependency; runtime failures or unexpected local installs may occur if 'requests' is missing.
!
Credentials
The script requires TURING_API_KEY (Bearer token), TURING_CLIENT, and TURING_ENVIRONMENT, plus an optional TURING_API_BASE. Those are appropriate for calling the proxy API, but the registry metadata omitted these requirements. The mismatch between declared and actual credential needs is a red flag that could lead to misconfiguration or inadvertent secret exposure.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It only reads its own config file (~/.openclaw/openclaw.json) and does not write system-wide settings or modify other skills.
What to consider before installing
Do not install blindly. Before using: (1) Confirm you trust the Turing Tavily proxy domain (default https://live-turing.cn.llm.tcljd.com) because your API key will be sent there. (2) Verify or update the registry metadata to declare TURING_API_KEY, TURING_CLIENT, and TURING_ENVIRONMENT so you know what secrets are required. (3) Check that the script's expected config location (~/.openclaw/openclaw.json) is acceptable to you — the script reads that file for credentials. (4) Ensure Python's 'requests' is available or install it in an isolated environment. (5) If you have doubts about the endpoint or owner, review the script yourself or run the skill in a locked-down container; do not provide production API keys until you are confident.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bzb00bdcprnpa00069eksz582v841

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments