test-search
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a disclosed iFlytek web-search skill, but the published package is incomplete and its API password requirement is not reflected in the registry metadata.
This skill does not show malicious behavior in the supplied artifacts, but it appears incomplete because the referenced search script is missing. Before installing or using it, confirm that the intended script is included from a trusted source and be aware that using it requires an iFlytek API password and sends your search queries to iFlytek.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume the user's iFlytek API quota and exposes search activity to that provider under the user's account.
The skill requires a provider API password and uses it as a bearer token for the iFlytek search API. This is purpose-aligned, but it is a credential and the registry metadata says no credential or environment variable is required.
Environment variable: `XFYUN_API_PASSWORD` ... Auth: `Authorization: Bearer <XFYUN_API_PASSWORD>`
Only provide an iFlytek API password you intend to use for this search service, monitor quota usage, and prefer updated metadata that declares the credential requirement.
The skill may not work as published, and a user or agent might be tempted to run an unreviewed replacement script from another location.
The provided file manifest contains only SKILL.md and reports no code files, so the referenced helper script is not included for review or execution.
The script is at `scripts/search.py` relative to this skill directory.
The publisher should include the referenced script or remove the command instructions. Users should verify the exact script path and source before running any replacement code.
Search terms, which may contain sensitive information, can be sent to the iFlytek ONE SEARCH API.
The skill sends search requests to a third-party provider endpoint. This is disclosed and aligned with the search purpose, but users should understand that their queries go to iFlytek.
Endpoint: `POST https://search-api-open.cn-huabei-1.xf-yun.com/v2/search`
Avoid entering confidential queries unless you are comfortable sending them to that provider, and review the provider's privacy and retention terms.