Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
multi-search-engine
v1.0.0Multi search engine integration with 17 engines (8 CN + 9 Global). Supports advanced search operators, time filters, site search, privacy engines, and Wolfra...
⭐ 0· 122·0 current·0 all-time
by@jasdkc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (multi search across 17 engines) aligns with the provided SKILL.md, config.json, and reference docs. However package metadata is inconsistent: package.json lists main="multi-search.py" but no code files are present, and file-level metadata (_meta.json, CHANGELOG) show a different version (2.0.1) than the registry metadata (1.0.0). These mismatches suggest the published bundle may be incomplete or not the intended release.
Instruction Scope
SKILL.md and references instruct the agent to perform web fetches and HTML scraping across many third-party search endpoints and include examples using powerful search operators (e.g., site:, intext:, filetype:). While expected for a search tool, these instructions implicitly direct the agent to fetch arbitrary external URLs and to perform searches that could surface sensitive information (e.g., searching for 'intext:password filetype:txt'). The docs also mention scraping Chinese engines without API keys but give no guidance about throttling, robots.txt, or legal/TOS considerations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files—nothing will be written or installed by the skill package itself. That minimizes install-time risk, but it also means the runtime behavior depends entirely on the agent executing the documented web requests/parsing logic (which isn't provided as packaged code).
Credentials
The skill declares no required environment variables. SKILL.md lists optional API keys (Google, Bing, Wolfram) which are reasonable for improving API usage. This is proportionate. However, because there is no packaged code, it's unclear where optional .env keys would be used; verify how/where they'd be read if you install/run a runtime implementation.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable with normal autonomous invocation allowed. It does not declare config-path or system modifications. No persistence or elevated privileges are requested in the bundle.
What to consider before installing
This package appears to be documentation for a multi-engine search helper, but there are packaging inconsistencies and missing implementation files. Before installing or enabling it: (1) ask the publisher to provide the actual runtime code (multi-search.py or equivalent) and verify the code matches the docs; (2) confirm the correct owner/version and that metadata mismatches are intentional; (3) review the runtime implementation for any code that fetches arbitrary URLs, logs or forwards results, or reads environment files; (4) avoid supplying API keys until you verify how they're stored/used; (5) be aware that the skill's scraping behavior can surface sensitive data and may violate search engines' terms—prefer to run it in a restricted environment or request a vetted implementation with rate-limiting and robots.txt respect. If the publisher cannot supply clear, matching source code and provenance, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk971vbxq6e8p9ejbdjaykt2dcs8357tm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.