ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

iFlytek Web Search

v1.0.0

Search the web using iFlytek ONE SEARCH API (万搜/聚合搜索). Returns titles, summaries, URLs, and full text from web pages. Good for Chinese-language web search.

0· 82·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, and the included script all consistently implement an iFlytek (Xfyun) ONE SEARCH client that posts queries to the documented API endpoint and returns titles/summaries/full text. The requested functionality matches the stated purpose (Chinese web search).
Instruction Scope
Runtime instructions and the provided script stay within the expected scope: they only read one environment variable (XFYUN_API_PASSWORD), construct a JSON payload, POST to the documented Xfyun endpoint, and print results. The script does not access other files, system state, or external endpoints beyond the API URL. However, the SKILL.md requires an environment variable that the registry metadata did not declare (see environment_proportionality).
Install Mechanism
No install spec is provided (instruction-only with an included Python script). Nothing is downloaded or written to disk by an installer. This is low-risk from an install-mechanism perspective.
!
Credentials
The SKILL.md and script require the secret environment variable XFYUN_API_PASSWORD to authenticate to the Xfyun API. However, the registry metadata lists 'Required env vars: none' and 'Primary credential: none', an inconsistency that could mislead users. Requesting a single API password for the stated API is proportionate, but the metadata omission and lack of a declared primary credential reduce transparency and are a concern.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges or modify other skills/config. Autonomous invocation is allowed (the platform default) but not combined with other high-risk behaviors.
What to consider before installing
This skill appears to be a straightforward client for iFlytek ONE SEARCH and only needs one secret: XFYUN_API_PASSWORD. Before installing: (1) Verify the skill's provenance — there is no homepage or publisher information in the registry entry; prefer skills from known publishers. (2) Confirm the registry metadata is updated to declare XFYUN_API_PASSWORD as a required credential (and a primary credential) so you know what you'll be exposing. (3) Provide an API password scoped for search usage (least privilege) and monitor its usage/quota. (4) Be aware that using --raw returns full page text (which may contain PII or sensitive data) — avoid sending sensitive queries. (5) If you are concerned about network calls or secrets, run the script in an isolated environment or review network logs to ensure it's calling only the documented Xfyun endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk971apj27mjss5ks91b75ydecx83gk62

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments