Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youcom Search
v0.1.3you.com web search, deep research, and content extraction for OpenClaw. Free tier for basic search; research and extract require paid API key.
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The scripts and SKILL.md implement free search, paid research, and paid content extraction as advertised; network calls go to api.you.com and ydc-index.io which matches the stated purpose. However the registry metadata claims no required environment variables while the SKILL.md (and the research/extract scripts) require YOUCOM_API_KEY for paid endpoints — an inconsistency between claimed requirements and actual needs.
Instruction Scope
SKILL.md instructs the user to add YOUCOM_API_KEY to ~/.openclaw/.env and to restart the gateway via systemctl --user restart openclaw-gateway. Those are explicit system-level actions and reference a specific config path/service that were not declared in the registry metadata. The scripts themselves only perform straightforward HTTP requests and do not read arbitrary files, but the runtime instructions do ask the user to put secrets in a particular agent config file and restart a service, which broadens scope and should be confirmed by the user.
Install Mechanism
No install spec — this is instruction+scripts only. Required binary is python3 and scripts use only Python standard library (urllib, json, argparse). Nothing is downloaded or extracted by an automated install process.
Credentials
Only one credential (YOUCOM_API_KEY) is used by the code and it's appropriate for the paid endpoints; however the registry lists no required env vars while SKILL.md marks YOUCOM_API_KEY as required and the scripts raise an error if it's missing for research/extract. The SKILL.md also directs storing the key in ~/.openclaw/.env — reasonable but sensitive. No unrelated credentials are requested, but the mismatch between registry and skill instructions is a red flag.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. The only persistence-related action in SKILL.md is instructing the user to put the key in ~/.openclaw/.env (a user-level dotfile) and restart a user service; the skill itself does not modify other skills or system-wide config.
What to consider before installing
This package appears to implement the stated you.com search, research, and extract calls and the Python scripts look straightforward. However: (1) double-check the origin — the registry metadata claims no required env vars but the SKILL.md and scripts require YOUCOM_API_KEY for paid endpoints; that mismatch is suspicious. (2) The README/SKILL.md tell you to put your API key into ~/.openclaw/.env and restart openclaw-gateway — only do that if you trust the skill source. Prefer creating a limited API key on you.com (if possible) and monitor usage/charges. (3) Review the three Python scripts yourself or run them in an isolated environment before adding the key to your real agent config. (4) If you don't want to store the key persistently, you can export it in-session or provide it only when needed. If the skill came from an unknown/untrusted author, treat it as untrusted until you can verify the publisher and the endpoints (api.you.com and ydc-index.io) are legitimate for your account.Like a lobster shell, security has layers — review code before you run it.
latestvk974714twze40fjyrhn84rbj9d83wh2xresearchvk975eeg60twgxpdnxd6b2gean583w13fsearchvk971tsba709mb1qg6vjn3b11jn83wdhywebvk971tsba709mb1qg6vjn3b11jn83wdhyyoucomvk971tsba709mb1qg6vjn3b11jn83wdhy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔎 Clawdis
Binspython3