Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description say 'Volcengine' search, and the README points to Volcengine docs, but the script's network target is https://open.feedcoopapi.com, not volcengine.com or an official Volcano Engine endpoint. That mismatch is not coherent with the stated provider.
Instruction Scope
SKILL.md instructs setting VOLC_SEARCH_API_KEY and running scripts/search_web.py, but the repository contains scripts/volcengine_search.py (different filename). The runtime instructions expect an env var and CLI usage that don't match the shipped filenames, increasing the chance of user confusion and hidden behavior. The instructions also direct network requests to an external endpoint (open.feedcoopapi.com) which is outside the stated provider.
Install Mechanism
No install spec; this is instruction-plus-script only so nothing is automatically downloaded or installed by the skill. That minimizes install-time risk.
Credentials
The script requires an API key (VOLC_SEARCH_API_KEY or VOLCENGINE_SEARCH_API_KEY) — reasonable for a search API — but the key is sent as a Bearer token to open.feedcoopapi.com. The registry metadata did not declare required env vars. Sending a Volcano Engine API key to a third-party domain is disproportionate and could leak credentials.
Persistence & Privilege
Skill does not request always:true, does not modify system or other skills, and has no install steps that persist beyond the repository files. No elevated persistence requested.
What to consider before installing
Do not trust this skill until you verify the network endpoint and the intended API owner. Specifically:
- Confirm whether open.feedcoopapi.com is an authorized proxy or partner of Volcano Engine; if the project author cannot prove that, treat requests to that domain as suspicious.
- Note the SKILL.md/README call scripts/search_web.py, but the repository contains scripts/volcengine_search.py — request corrected documentation or a fixed package.
- The skill will read an API key from VOLC_SEARCH_API_KEY (or VOLCENGINE_SEARCH_API_KEY) and send it to the external domain as Bearer token; avoid supplying any real production API key. Test only with a throwaway key or in a sandboxed environment and monitor outbound network traffic.
- Ask the publisher for evidence of endpoint ownership and for the skill metadata to declare required env vars. If you cannot obtain satisfactory answers, do not install or run this skill with sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97etq5v8k0rz2pc2v8c7zm55s83xfg9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.