ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Agents Skill

v1.0.0

Performs intelligent web and specialized searches, aggregates multi-source results, and delivers summarized, cited answers with credibility scoring.

0· 43·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md/README claim real-time multi-engine web/news/academic/code search and present SEARCH_API_KEY as required; however, the code's performSearch function uses placeholder endpoints (e.g. https://api.search.com/general) and returns a simulated result array instead of calling real search APIs. The code does perform page fetches (axios + cheerio) for result URLs, which is consistent with scraping, but there is no implemented integration with the multiple search APIs the docs promise. Registry metadata lists no required env vars, while the docs advertise SEARCH_API_KEY as required — an incoherent expectation vs implementation.
!
Instruction Scope
The runtime instructions (SKILL.md) instruct use of SEARCH_API_KEY and describe connecting to multiple search APIs, but the actual runtime behavior in index.js does not use any external API endpoints for search (it uses a simulated result set) and only fetches individual URLs returned by that placeholder result. The SKILL.md also asserts privacy/security guarantees (e.g., 'No query logging', 'malicious domain filtering') that are not backed by code. Instructions therefore overpromise and grant the agent broad web-fetching capability without clear, implemented boundaries.
Install Mechanism
There is no install spec in the registry (instruction-only), but the skill includes Node.js code and a package.json with dependencies on axios and cheerio. This is not high-risk by itself (dependencies are from npm, no remote arbitrary download URLs), but the presence of runnable code despite an 'instruction-only' install declaration is an inconsistency to be aware of.
!
Credentials
The SKILL.md and README reference environment variables such as SEARCH_API_KEY, AI_MODEL, SEARCH_MAX_RESULTS, and SEARCH_TIMEOUT. The registry lists no required env vars. The code reads process.env.SEARCH_API_KEY and AI_MODEL into its config, but SEARCH_API_KEY is never actually used to call a real search API in the provided performSearch implementation. Requiring or asking for API keys in docs while not declaring them in metadata is inconsistent and could mislead users into providing secrets unnecessarily.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide agent settings. It exports functions and provides CLI behavior, but it does not request elevated platform privileges.
What to consider before installing
This skill overpromises: its docs claim multi-engine, API-key-backed searches and privacy guarantees, but the code contains only placeholder search endpoints and returns simulated results. Practical steps before installing or using: 1) Treat SEARCH_API_KEY as required only if the implementation actually calls real APIs — ask the author or inspect updated code that replaces the placeholder performSearch with real API calls. 2) Don't provide sensitive API keys or secrets unless you confirm the skill actually needs them and the endpoint is a trusted service. 3) Note the code can fetch arbitrary URLs (axios + cheerio), so run it in a restricted environment if you want to test. 4) Prefer skills with a clear source/homepage and implemented search integrations (not placeholders) and verify privacy claims in code. If the repository later replaces placeholder endpoints with legitimate, documented API integrations and updates the registry metadata to declare required env vars, reassess — that would reduce the concern.
index.js:14
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971k5dqm4n3ym409j5dmanb4584gsem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments