Yves Web Search

Type: OpenClaw Skill Name: yves-web-search Version: 1.0.1 The `scripts/reader.sh` file contains a URL parameter injection vulnerability. Arguments such as `--proxy`, `--selector`, and `--remove` are not sufficiently sanitized for URL control characters (e.g., '&', '=') before being appended to the `BASE_URL` for the `curl` command. This flaw could allow an attacker to inject arbitrary parameters into the Jina AI API request, potentially altering its intended behavior. There is no evidence of intentional malicious behavior like data exfiltration or backdoors.