ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Search Assistant

vv3.0.2

Web search via EvoLink API. Returns clean, formatted results with titles, URLs, and descriptions. Powered by evolink.ai

0· 181·0 current·0 all-time
by@evolinkai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (web search via EvoLink) match the requested env var (EVOLINK_API_KEY), required binaries (bash, curl, jq), and the script which POSTs queries to api.evolink.ai. Nothing requested appears unrelated to the stated purpose.
Instruction Scope
SKILL.md directs the agent to run the included scripts/search.sh which only sends the user query and max_results to api.evolink.ai and prints results. The script does not read other files or other environment variables. Note: the script interpolates the QUERY variable directly into the JSON body without escaping, which can produce malformed JSON for queries with embedded quotes/newlines (functional bug, not evidence of malicious intent).
Install Mechanism
No install spec; the skill is instruction-only with a small included shell script. Nothing is downloaded or extracted at install time.
Credentials
Only EVOLINK_API_KEY is required and declared as the primary credential. That single API key is appropriate for a web-search integration; no unrelated secrets or config paths are requested.
Persistence & Privilege
always is false, no modifications to other skills or system settings, and the skill does not request elevated or persistent privileges. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill appears to do exactly what it says: it sends your query to EvoLink (api.evolink.ai) and returns results. Before installing, consider: (1) any queries you run will be sent to EvoLink — avoid sending sensitive secrets or private data; (2) confirm you trust EvoLink and manage the EVOLINK_API_KEY like any API secret (rotate/revoke if compromised); (3) the included script interpolates the query into JSON without escaping, so very unusual queries may break or be reformatted — treat this as a functional bug, not malicious behavior; (4) you may want to review EvoLink's privacy/retention policy and the linked GitHub repo/docs to verify provider reputation.

Like a lobster shell, security has layers — review code before you run it.

latestvk973908m324e935d1j1n93hdas83ktrw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsbash, curl, jq
EnvEVOLINK_API_KEY
Primary envEVOLINK_API_KEY

Comments