Chinese Search Enhancement
v1.0.0Chinese search enhancement: search Baidu, Zhihu, and WeChat articles. Returns AI-optimized structured results in Chinese. Paid skill (0.001 USDT/call via Ski...
⭐ 0· 410·2 current·2 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and code generally align (search Baidu, Zhihu, WeChat). However the code embeds a SkillPay API key and uses a third-party 'v.api.aa1.cn' free API as an alternate Baidu source (not declared in SKILL.md). The billing integration and embedded secret are not strictly necessary to perform scraping/searching and increase risk.
Instruction Scope
SKILL.md states 'Local files: None read or written' but search.mjs reads local files to resolve a caller ID (~/.openclaw/identity/device.json and possible OPENCLAW_STATE_DIR path). The code sends caller identity (or hostname/username) to the billing endpoint. The SKILL.md lists Baidu/Sogou/Zhihu/SkillPay but omits the alternate free API endpoint (v.api.aa1.cn) used by lib/baidu.mjs.
Install Mechanism
No install spec is provided (instruction-only install), code is pure Node with dependencies declared in package.json/package-lock.json (cheerio, commander). There are no downloads or opaque installers in the spec.
Credentials
The package requires only 'node', but the code reads environment variables OPENCLAW_CALLER_ID, OPENCLAW_AGENT_ID, and OPENCLAW_STATE_DIR (not declared in SKILL.md). More seriously, lib/billing.mjs contains a hardcoded API key (sk_...) and skill ID — a secret embedded in distributed code can be abused or exfiltrated and is disproportionate to a client-side search utility.
Persistence & Privilege
always:false and the skill does not request system-wide config changes. It does attempt to identify the caller (reading identity files or using hostname/username) to bill via SkillPay, which increases its privacy footprint but is not an elevated platform privilege like always:true.
What to consider before installing
This skill appears to implement the claimed searches, but I recommend caution before installing or enabling it broadly:
- Do not assume SKILL.md's 'no local files' claim is accurate: the skill reads identity files and will send an identifier (deviceId or hostname+username) to the billing endpoint.
- The code contains a hardcoded billing API key (lib/billing.mjs). That is a secret embedded in distributed code — it could be abused by the publisher or an attacker who modifies the skill. Ask the publisher why the key is embedded and request a safer billing design (server-side charging or per-install keys).
- The baidu module falls back to an undocumented third-party free API (v.api.aa1.cn). Ask the publisher to disclose all external endpoints and justify them.
- For testing, run the tool locally with the --no-billing flag and monitor network connections (or sandbox it) before giving it network access in production or allowing autonomous invocation.
- If you must use it: avoid installing on devices with sensitive local data or identity you don't want sent to an external billing service. Prefer installing only after the publisher removes the embedded API key or provides clear billing documentation and an opt-in consent flow.
If you want, I can produce a short message you can send to the publisher asking for: (1) removal of the hardcoded API key, (2) disclosure/justification of v.api.aa1.cn usage, and (3) correction of the SKILL.md claims about local file access.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🔍 Clawdis
Binsnode
latest
Chinese Search Enhancement (中文搜索增强)
Search Chinese-language content across Baidu, Zhihu, and WeChat public accounts in a single command. Returns structured, AI-friendly JSON results.
This skill fills the gap left by English-centric search tools (Brave, Perplexity, etc.) that return poor results for Chinese queries.
Usage
Search all sources (default)
node {baseDir}/search.mjs "人工智能最新进展"
Search specific sources
node {baseDir}/search.mjs "新能源汽车" -s baidu
node {baseDir}/search.mjs "React性能优化" -s zhihu
node {baseDir}/search.mjs "大模型应用" -s wechat
node {baseDir}/search.mjs "量子计算" -s baidu,zhihu
Control result count
node {baseDir}/search.mjs "ChatGPT" -n 10
node {baseDir}/search.mjs "深度学习" -s baidu,zhihu -n 3
Options
- First argument (required): search query in Chinese or English
-s, --sources <sources>: Comma-separated sources —baidu,zhihu,wechat(default: all three)-n, --limit <count>: Results per source, 1-20 (default: 5)--no-billing: Skip billing check (local testing only, do not use in production)
Sources
| Source | What it searches | Best for |
|---|---|---|
baidu | Baidu web search | General Chinese web content, news, tech articles |
zhihu | Zhihu Q&A platform | Expert opinions, in-depth discussions, how-to guides |
wechat | WeChat public account articles via Sogou | Original analysis, industry insights, opinion pieces |
Output Format
Returns JSON with results grouped by source:
{
"query": "人工智能",
"total": 15,
"sources": ["baidu", "zhihu", "wechat"],
"results": {
"baidu": [
{ "title": "...", "snippet": "...", "url": "..." }
],
"zhihu": [
{ "title": "...", "snippet": "...", "url": "..." }
],
"wechat": [
{ "title": "...", "snippet": "...", "url": "...", "account": "...", "date": "..." }
]
}
}
When to use this skill
- User asks a question that requires Chinese-language information
- You need to find Chinese news, articles, or expert discussions
- The built-in
web_searchtool returns poor results for Chinese queries - You need information from Chinese platforms (Baidu, Zhihu, WeChat)
Billing
This is a paid skill. Each search call costs 0.001 USDT (about 0.007 RMB). If the user's balance is insufficient, the skill returns a payment_url — show it to the user so they can top up.
Setup
No configuration needed. Billing is handled automatically by the skill publisher via SkillPay. Just install and use.
Security & Privacy
- External endpoints accessed: Baidu (baidu.com), Sogou (sogou.com, weixin.sogou.com), Zhihu (zhihu.com), SkillPay (skillpay.me)
- Local files: None read or written
- Data handling: Search queries are sent to the above search engines. No user data is stored. Billing is processed via SkillPay with anonymous caller IDs.
Comments
Loading comments...