ClawHub

Naver Search

v1.0.4

Modularized Naver Search. Features separate scripts for Web, News, Shopping, and Images. Integrates SerpAPI specialized parameters.

0· 385·1 current·1 all-time
by@downwind7clawd-ctrl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the provided code: scripts cover web, news, shopping, images, video, booking and call SerpAPI. However the skill metadata declares no required environment variables or primary credential while both SKILL.md and code require SERPAPI_API_KEY. That mismatch (code needs an API key but the registry doesn't declare it) is an incoherence a user should be shown.
!
Instruction Scope
SKILL.md instructs running the included scripts and storing SERPAPI_API_KEY in an .env file—this aligns with the code. The code adds the user's site-packages path to sys.path (inserting it at index 0) before importing serpapi, which is not documented in SKILL.md and can allow importing user-controlled packages that shadow standard packages. The aggregator uses subprocess.run to call local scripts and parses their stdout as JSON; this is expected but means script outputs are trusted without strong validation.
Install Mechanism
There is no automated install spec (no downloads). A requirements.txt lists only 'serpapi' and README suggests pip install -r requirements.txt — this is low-to-moderate friction and traceable. No suspicious external URLs or archive extracts are present.
!
Credentials
The only runtime secret required is SERPAPI_API_KEY (declared in SKILL.md and used by lib/naver_base.py). However the registry metadata did not list any required env vars or primary credential, which is inconsistent and potentially misleading. The code will read a top-level .env file if the env var is absent; that file could contain other secrets if users reuse it. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not attempt to modify other skills or system-wide settings; autonomous invocation is allowed (the platform default) but not combined with always:true.
What to consider before installing
This package implements the advertised Naver/SerpAPI searches, but there are two issues to consider before installing: - Metadata mismatch: the skill requires SERPAPI_API_KEY (and reads .env) but the registry did not declare this required credential. Confirm you are comfortable providing a SerpAPI key and that the publisher should have declared it. - Import path change: lib/naver_base.py injects the user's site-packages path at the start of sys.path. That can cause local/user-installed packages to be imported in place of system packages (a supply-chain/namespace shadowing risk). Consider reviewing the code locally, running in a sandbox, or removing the sys.path modification before use. - Operational safety: store the API key in a dedicated, least-privilege SerpAPI account, protect the .env file (chmod 600), and inspect or run the scripts in an isolated environment if you don't trust the publisher. Ask the publisher to update registry metadata to list SERPAPI_API_KEY and to explain why user_site is prepended to sys.path.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cz1m4770y6gvxv1zb7753nd821gbpnavervk97bsqnfd58r86y9q10wt9y2vx820mdzsearchvk97bsqnfd58r86y9q10wt9y2vx820mdzserpapivk97bsqnfd58r86y9q10wt9y2vx820mdz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments