Skillv1.0.0

ClawScan security

Chinese Search Enhancement · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 9:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (scrape/search Chinese sites) but contains several inconsistencies and privacy/billing risks (hardcoded billing API key, undeclared third-party endpoint, and local file reads despite SKILL.md saying none).
Guidance: This skill appears to implement the claimed searches, but I recommend caution before installing or enabling it broadly: - Do not assume SKILL.md's 'no local files' claim is accurate: the skill reads identity files and will send an identifier (deviceId or hostname+username) to the billing endpoint. - The code contains a hardcoded billing API key (lib/billing.mjs). That is a secret embedded in distributed code — it could be abused by the publisher or an attacker who modifies the skill. Ask the publisher why the key is embedded and request a safer billing design (server-side charging or per-install keys). - The baidu module falls back to an undocumented third-party free API (v.api.aa1.cn). Ask the publisher to disclose all external endpoints and justify them. - For testing, run the tool locally with the --no-billing flag and monitor network connections (or sandbox it) before giving it network access in production or allowing autonomous invocation. - If you must use it: avoid installing on devices with sensitive local data or identity you don't want sent to an external billing service. Prefer installing only after the publisher removes the embedded API key or provides clear billing documentation and an opt-in consent flow. If you want, I can produce a short message you can send to the publisher asking for: (1) removal of the hardcoded API key, (2) disclosure/justification of v.api.aa1.cn usage, and (3) correction of the SKILL.md claims about local file access.

Review Dimensions

Purpose & Capability: concernName/description and code generally align (search Baidu, Zhihu, WeChat). However the code embeds a SkillPay API key and uses a third-party 'v.api.aa1.cn' free API as an alternate Baidu source (not declared in SKILL.md). The billing integration and embedded secret are not strictly necessary to perform scraping/searching and increase risk.
Instruction Scope: concernSKILL.md states 'Local files: None read or written' but search.mjs reads local files to resolve a caller ID (~/.openclaw/identity/device.json and possible OPENCLAW_STATE_DIR path). The code sends caller identity (or hostname/username) to the billing endpoint. The SKILL.md lists Baidu/Sogou/Zhihu/SkillPay but omits the alternate free API endpoint (v.api.aa1.cn) used by lib/baidu.mjs.
Install Mechanism: okNo install spec is provided (instruction-only install), code is pure Node with dependencies declared in package.json/package-lock.json (cheerio, commander). There are no downloads or opaque installers in the spec.
Credentials: concernThe package requires only 'node', but the code reads environment variables OPENCLAW_CALLER_ID, OPENCLAW_AGENT_ID, and OPENCLAW_STATE_DIR (not declared in SKILL.md). More seriously, lib/billing.mjs contains a hardcoded API key (sk_...) and skill ID — a secret embedded in distributed code can be abused or exfiltrated and is disproportionate to a client-side search utility.
Persistence & Privilege: notealways:false and the skill does not request system-wide config changes. It does attempt to identify the caller (reading identity files or using hostname/username) to bill via SkillPay, which increases its privacy footprint but is not an elevated platform privilege like always:true.