Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Rumor Buster - 双引擎谣言验证
v0.5.0Dual-engine fact-checking skill for verifying news, claims, and messages through Chinese + English cross-verification and source tracing. Use when user wants...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (dual-engine fact‑checking) align with its code and instructions: it performs Chinese + English searches, cross‑verifies, traces sources, and writes a local config. However it probes local skill installation paths (~/.openclaw/..., /usr/local/..., /opt/...) to detect other installed search skills and uses external Tavily API calls — these are explainable (to discover available engines) but broaden its footprint beyond a purely query-only verifier.
Instruction Scope
Runtime instructions include reading/writing a config file (~/.rumor-buster-config), spawning a setup sub-skill (sessions_spawn), maintaining in-memory session state, testing remote search endpoints, and aggregating raw search results (full detailed report). Those actions are consistent with the stated purpose, but the skill will perform network requests (including to tavily.com) and read local filesystem locations to detect other installed skills. The SKILL.md also instructs returning complete search results in 'detailed report', which can expose raw retrieved content and any included metadata.
Install Mechanism
No install spec is provided (instruction-only with a couple of included scripts). No remote downloads or extract steps are present, and code files are bundled with the skill — this is low install-risk compared to download-based installers.
Credentials
The skill does not declare required environment variables, but the code uses a TAVILY_API_KEY environment variable if present and — critically — tavily_search.py contains a hard-coded default API key ('tvly-dev-...'). Embedding a default key in shipped code is disproportionate: it may route user queries through the developer's key (privacy, quota, billing, or misuse concerns). Aside from Tavily, the skill does not request additional unrelated credentials. It also writes the config file to the user's home (which may store API keys entered interactively).
Persistence & Privilege
The skill does persist a config file at ~/.rumor-buster-config and scans user paths to detect other skills, but it does not request always:true or other elevated privileges and does not modify other skills' configurations. Writing a config in the user's home is expected behavior for a setup flow.
What to consider before installing
This skill appears to implement what it claims, but proceed with caution: 1) The code contains a hard-coded Tavily API key — remove or replace it and supply your own key if you plan to use Tavily; using the embedded key could expose your queries to the developer and consume their quota. 2) The setup script probes local paths (~/.openclaw/..., /usr/local/..., /opt/...) to detect other installed skills and makes outbound HTTP requests to test search engines and to Tavily — expect network traffic and possible transmission of the search query text to external services. 3) The skill writes ~/.rumor-buster-config (which may contain partially redacted API keys) — review the file before and after first run. Recommended steps before installing: review the tavily_search.py and setup.py sources, remove the default API key or ensure it is not used, run in a controlled environment if you care about privacy, and avoid enabling Tavily (or provide your own key) if you do not trust the external service. If any of these behaviors are unacceptable, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk97a0ttxd8tarkfw067z9dxqf9849ryv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.