ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill for searching images and boards in zizo library (https://zizo.pro).

Search images and boards in zizo library. Use when user asks to search for images, photos, pictures, visual assets, or boards/collections.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 18 · 0 current installs · 0 all-time installs
byfoobar@foobarhe
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (search images/boards on zizo.pro) matches the included code and instructions: the CLI calls the zizo MCP API. However the registry metadata (top-level summary) says "Required env vars: none" and "Primary credential: none" while both SKILL.md and dist/index.js require a ZIZO_TOKEN (and optionally ZIZO_SERVER). That metadata/code mismatch is incoherent and should be corrected.
Instruction Scope
SKILL.md confines runtime actions to reading environment variables and invoking the bundled Node CLI (node dist/index.js) to POST JSON-RPC requests to the zizo server. It does not instruct the agent to read unrelated files, other credentials, or exfiltrate data to third-party hosts. Instructions to obtain a token point to zizo.pro. Behavior described is limited to the stated purpose.
Install Mechanism
There is no install spec (instruction-only), and a pre-built dist/index.js is included in the package. No external downloads, shell installers, or unusual extraction steps are present. The runtime uses only Node's built-in https module. This is a low-risk install footprint.
!
Credentials
The code and SKILL.md require ZIZO_TOKEN (and optional ZIZO_SERVER, ZIZO_LIMIT, ZIZO_SCOPE). Requiring a single API token is proportionate to the skill's purpose. The problem is that the registry metadata incorrectly lists no required environment variables and no primary credential, creating a mismatch in what the skill claims to need vs what it actually needs at runtime.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has no persistent installation actions described. It runs as an on-demand CLI and has normal, limited privilege.
What to consider before installing
Before installing or enabling this skill: - Note the metadata mismatch: the package metadata claims no required env vars, but the SKILL.md and code require ZIZO_TOKEN. Treat this as a red flag and ask the publisher to fix metadata. - If you proceed, only provide a token with the minimal possible privileges. Verify what that token can access on https://zizo.pro (scopes, revocation). - Confirm you trust the owner: there is no homepage and the source is "unknown." Prefer skills with a verifiable publisher and homepage. - The bundled code is readable and only POSTs to the ZIZO_SERVER /mcp endpoint over HTTPS and formats results; it does not access other local files or external endpoints. That reduces risk, but the token is sensitive — don’t reuse high-privilege tokens. - If you need higher assurance, request the publisher to correct the registry metadata and provide a source/homepage or reproducible build steps so you can audit the package before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk976vfcpse2hh72c9jdwadvx7x83a724

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Zizo Search

Search images and boards in zizo library using zizo.

Configuration

获取 Token

  1. 访问 https://zizo.pro/#/?settings=token
  2. 登录或注册 zizo 账号
  3. 在页面上找到并复制你的 token
  4. 将 token 设置到环境变量中

设置方式

Environment Variables

export ZIZO_TOKEN=<your_mcp_token>  # 从上述页面获取的 token
export ZIZO_SERVER=https://zizo.pro  # optional, default: https://zizo.pro
export ZIZO_LIMIT=20                 # optional, default: 20
export ZIZO_SCOPE=public             # optional, default: public

Note: Configuration is only read from environment variables. No config file is used.

Prerequisites

Ensure zizo is configured:

  • node dist/index.js version to verify installation
  • node dist/index.js config show to verify configuration

Usage

Search Images

node dist/index.js search images "$QUERY" --limit ${LIMIT:-10} --scope ${SCOPE:-public}

Search Boards

node dist/index.js search boards "$QUERY" --limit ${LIMIT:-10}

Arguments

  • $QUERY: Search query (required) - supports Chinese and English
  • --limit: Number of results, default 10
  • --scope: Search scope for images
    • public: Public images only
    • mine: User's own images
    • all: All accessible images

Examples

User: "搜索 sunset 相关的图片"

node dist/index.js search images "sunset" --limit 10

User: "Find travel boards"

node dist/index.js search boards "travel" --limit 10

User: "帮我找 5 张风景图"

node dist/index.js search images "风景" --limit 5

Environment Variables

VariableDescriptionDefault
ZIZO_TOKENAPI token (required)-
ZIZO_SERVERAPI server URLhttps://zizo.pro
ZIZO_LIMITDefault result limit20
ZIZO_SCOPEDefault search scopepublic

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…