ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Search Intelligence Skill

v0.1.1

Advanced AI-powered search skill using SearXNG as the universal search backend. Multi-engine dork generation, 90+ search engines, intelligent search strategi...

0· 407·2 current·3 all-time
byMouaad@elmaslouhymouaad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (advanced search, dork generation, OSINT, SEO, security scanning) align with the included code: intent parsing, dork generation, a SearXNG HTTP client, and result analysis. The requested runtime pieces (python, httpx) are proportional to the stated purpose.
Instruction Scope
SKILL.md runtime instructions limit network access to a user-provided SearXNG instance and describe local installation and use. Example usage includes potentially privacy-invasive queries (exposed .env, admin panels, investigating emails/phones), but those examples are consistent with the skill's stated OSINT/security focus and do not instruct reading unrelated local files or environment secrets.
Install Mechanism
No remote binary downloads or obscure installers are present: the package uses normal Python packaging (setup.py, pip install -e .) and a single external dependency (httpx). One minor inconsistency: the registry metadata indicated 'no install spec / instruction-only' while SKILL.md includes pip installation metadata — this is likely a metadata mismatch rather than malicious activity.
Credentials
The skill declares no required environment variables or credentials and the code shown uses a configurable SearXNG base URL (default localhost). There are no hard-coded external API keys or telemetry endpoints visible in the provided files. The examples intentionally search for exposed secrets (e.g., API_KEY on GitHub) — that is a feature for OSINT but the skill does not request secrets to operate.
Persistence & Privilege
No elevated privileges requested. Flags show always:false and user-invocable:true (normal). The package does not request persistent platform-wide modification or access to other skills' configs in the reviewed files.
Assessment
This skill is internally consistent with its description: it uses a local or user-provided SearXNG instance (no API keys required) and implements dork generation, intent parsing, and result analysis. Before installing, consider: 1) Run the code in a controlled environment and point it to a SearXNG instance you control (default is localhost). 2) Review the omitted/truncated source files (notably skill.py and strategies.py) for any unexpected network calls, telemetry, or subprocess execution. 3) Be aware that the tool is explicitly designed for OSINT/security research and includes example queries that locate exposed secrets and personal data — using it against systems or people without authorization can be illegal or unethical. 4) The registry metadata vs. SKILL.md shows a minor mismatch (install metadata present in SKILL.md), so prefer installing from a vetted source (your own clone of the repo) rather than an unknown package index build. If you want higher assurance, request a full diff or a reproducible build and scan the remaining files for outbound endpoints or obfuscated code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6hengf4wc4yjk61g2xz3bx821rnq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕵️ Clawdis

Comments