Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
360 Search
v1.0.3Provides search functionalities including image and news retrieval using the 360 Search API.
⭐ 0· 309·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description says the skill uses the '360 Search API', but the implementation (360_search_client.py) scrapes so.com via Playwright (a headless browser). That is a capability mismatch. The package also advertises an .env.example and scripts that imply CLI usage, yet no environment variables or API keys are declared in the registry metadata. The README and SKILL.md reference files and commands (e.g., scripts/search.py) that do not exist. These mismatches mean the declared purpose does not align with what is bundled.
Instruction Scope
SKILL.md is minimal/auto-generated and tells the user to check .env.example, but there is no .env.example in the manifest. The runtime instructions do not describe required dependencies (playwright, browser binaries) or permissions. The code launches a headless browser and navigates to external URLs (so.com) — expected for a scraper — but the docs do not warn about this or give installation/permission guidance. Scripts and tests import 'search_client' while the real file is named '360_search_client.py', indicating broken import paths.
Install Mechanism
There is no install spec. The code depends on Playwright and browser engines (Chromium) which typically require pip install and playwright install steps; those are not declared. Lack of an install mechanism means the skill will likely fail at runtime unless the environment already has Playwright and browsers installed. Missing install instructions is a packaging risk (unexpected runtime failures and unclear prerequisites).
Credentials
Registry metadata lists no required env vars, but SKILL.md and README reference copying a .env.example (which is absent). The code itself does not read environment variables, so the .env reference is unexplained. No credentials are requested (which is coherent with scraping), but the documentation's suggestion to use .env without specifying variables is inconsistent and unexplained.
Persistence & Privilege
The skill does not request 'always: true' and has no install steps that modify agent-wide configuration. It will run only when invoked. However, it does start a headless browser and executes web content from so.com, so users should be aware of the runtime behavior (remote JS executed within the headless browser context).
What to consider before installing
This package appears incomplete or poorly packaged rather than overtly malicious, but you should not install or enable it yet. Before using it, ask the publisher to: (1) clarify whether the integration uses an official 360 Search API or site scraping and update the description accordingly; (2) provide correct filenames or fix imports (scripts and tests import 'search_client' but the file is named '360_search_client.py'); (3) add a proper install spec and list required dependencies (playwright, and instructions to install browser binaries) or confirm they are available in your environment; (4) include or remove the referenced .env.example and document any environment variables if needed; (5) correct READMEs/SKILL.md to match actual usage and add security notes about running a headless browser; and (6) provide provenance (homepage or source) and ensure version metadata matches the package. Additional caution: headless browsers execute remote page JavaScript, which could trigger unexpected network calls — only run this skill in a trusted environment and consider requiring explicit user approval before the agent launches the browser.Like a lobster shell, security has layers — review code before you run it.
latestvk97drjfeq2zxd5zy9nns6cyqq584d0cj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.