Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hot Search
v1.0.0Hot Search - OpenClaw 稳定搜索技能,专为金融数据和市场行情设计。支持多引擎聚合搜索,无需 API 密钥,免费无限次使用。
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The code (search_skill.py) implements multi-engine search (Bing domestic/global, Yandex, Swisscows) and image download, which aligns with the skill name and description. Documentation/README claim of 'integrated Trading Economics' is not reflected in SEARCH_ENGINES; this is a documentation mismatch and should be clarified. The script's behavior (scraping, image download) is consistent with a search/market-data helper.
Instruction Scope
SKILL.md instructs normal installation and usage (git clone, pip install, run python). It does not request credentials or instruct the agent to read unrelated system files. Minor issues: an example uses web_fetch(url=link) which is not provided by the skill (an example helper only); SKILL.md also suggests using proxies/User-Agent which is expected for scraping. The script writes downloaded images to disk (default output_dir set to /home/fishsome/.openclaw/workspace/tmp) — expected for download functionality but users should be aware of filesystem writes.
Install Mechanism
No install spec in the registry (instruction-only), but repository-based installation via pip from requirements.txt is recommended. Dependencies are standard Python packages (requests, beautifulsoup4, lxml) from PyPI — no unusual or remote archive downloads detected.
Credentials
The skill declares no required environment variables, no credentials, and does not access sensitive system configs. It only performs network requests to search engines and to URLs returned by those searches, which is proportionate to its stated function.
Persistence & Privilege
The skill is not set to always:true, does not request persistent privileges, and does not modify other skills or global agent configuration. Autonomous invocation is enabled by default (standard for skills) but is not combined with broad credentials or suspicious behavior here.
Assessment
This skill appears to do what it says (aggregate web searches and download images). Before installing: 1) Note the script performs web scraping and will make arbitrary outbound HTTP requests and write files (images) to disk — change the default output_dir to a safe path. 2) The README mentions 'Trading Economics' but the code doesn't include that engine; verify the repo if you rely on that source. 3) Downloaded files come from third-party URLs — treat them cautiously (scan or sandbox before opening). 4) Run in a sandbox/container or non-privileged account, and review the code if you plan to run it automatically. 5) Respect target sites' terms of service and rate limits; use delay_range/timeout and proxies responsibly to avoid abuse or IP blocking.Like a lobster shell, security has layers — review code before you run it.
financial-datavk972wv3f7qbadvqa8694w53r1d83shhchotvk972wv3f7qbadvqa8694w53r1d83shhclatestvk972wv3f7qbadvqa8694w53r1d83shhcoil-pricevk972wv3f7qbadvqa8694w53r1d83shhcsearchvk972wv3f7qbadvqa8694w53r1d83shhc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.