ZhiPu Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will use your Zhipu account quota/permissions when searches are run.
The script reads a Zhipu API key from the environment or config file and uses it as a bearer credential for the provider request.
if (process.env.ZHIPU_API_KEY) return process.env.ZHIPU_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Use a dedicated Zhipu API key with appropriate limits, prefer the environment variable over storing secrets in config.json, and rotate the key if it is exposed.
Anything placed in the search query may be sent to the external search provider.
Search queries are sent to the external Zhipu/BigModel API, which is expected for this web-search skill but is still a data-sharing boundary.
hostname: 'open.bigmodel.cn', path: '/api/paas/v4/web_search' ... search_query: opts.query.slice(0, 70)
Avoid putting confidential or regulated information in search queries unless you are comfortable sharing it with the Zhipu/BigModel service.
You have less publisher/source context than you would for a skill with a verified repository or homepage.
The package provenance is limited, although the included script is small, visible, and there is no install-time downloader or dependency installation.
Source: unknown; Homepage: none
Review the included script and install only if you trust the publisher and the Zhipu API endpoint it uses.