Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Live Search
v1.0.0Real-time answers from the public web via the host app’s local search gateway (Auth Gateway proxy). Typical stacks surface results comparable to major engine...
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform live web search via a host-local search gateway (http://localhost:$PORT/proxy/prosearch/search). Requesting curl is coherent with that purpose, and the flow described matches a local-proxy search integration. However the SKILL.md expects python3 for time calculations and os.getppid() even though python3 is not declared in the registry's required binaries, and it references AUTH_GATEWAY_PORT (used as AUTH_GATEWAY_PORT:-19000) but the skill did not declare any required env vars — an inconsistency between declared requirements and actual runtime commands.
Instruction Scope
Instructions direct the agent to POST to a localhost endpoint (expected) but also to print the parent process ID (PPID) via python3 and echo it before making requests. Echoing the parent PID is unnecessary for search and can be used for host fingerprinting; the use of python3 for both time math and PPID is required at runtime but not declared. The SKILL.md also mandates echoing the gateway's returned `message` verbatim, which is reasonable for anti-hallucination, but the file grants the agent broad discretion in building queries and time filters (fine for the feature, but could be used to probe internal services).
Install Mechanism
Instruction-only skill with no install spec and no code written to disk — this is the lowest-risk install mechanism. Nothing is downloaded or executed beyond runtime commands.
Credentials
The registry declares no required environment variables, but SKILL.md uses AUTH_GATEWAY_PORT (with a default) and expects the local gateway to be session-authenticated. The skill therefore relies on host-local authentication/cookies implicitly; that implicit dependency and the undeclared AUTH_GATEWAY_PORT / python3 binary mismatch are proportionality concerns. There are no explicit requests for API keys or secrets, which is appropriate for the described purpose.
Persistence & Privilege
No elevated persistence or always:true flag; default autonomous invocation is allowed but not combined with other privilege-escalating settings. The skill does not request system-wide config modification.
What to consider before installing
This skill is mostly coherent with a local search-gateway use case, but there are three things to consider before installing: (1) SKILL.md uses AUTH_GATEWAY_PORT and python3 but the registry did not declare required env vars or python3 — verify the host provides AUTH_GATEWAY_PORT (or accept default 19000) and that python3 is available on the agent runtime; (2) the instructions ask the agent to print the parent process ID (PPID) which is unnecessary for search and could be used to fingerprint the host — ask the author why this is needed or remove that step; (3) calls go to http://localhost:$PORT, which will hit whatever local service is listening and may rely on the host app's session cookies; only enable this skill if you trust the host application and its local gateway. If you need stronger assurance, request the author to (a) declare AUTH_GATEWAY_PORT and python3 in the registry metadata, (b) remove the PPID echo, and (c) document what authentication (cookies/headers) the gateway expects.Like a lobster shell, security has layers — review code before you run it.
latestvk97bt8a3r4x6q3tsze9te328qh83j9bg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binscurl