查找资料
WarnAudited by ClawScan on May 10, 2026.
Overview
This search skill is purpose-aligned, but it embeds a bearer API key and sends searches to a raw HTTP IP endpoint, so it should be reviewed before use.
Review this skill carefully before installing. Treat it as an external search service, avoid sending confidential queries, and ask the maintainer to remove the embedded token, declare user-controlled credentials, and use an HTTPS provider endpoint with clear privacy and cost documentation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can view or install the skill can reuse the shared API key; user searches may be attributed to an unknown account, and abuse or quota/cost issues cannot be controlled by the user.
The skill embeds a bearer API credential and later requires every request to include it, while the registry metadata lists no primary credential or required environment variable.
认证: `Bearer sk_test_a6f84...`
Remove and rotate the embedded token. Require a user-supplied credential via a declared environment variable or scoped credential mechanism, and document the required access.
Sensitive search terms and the bearer token could be exposed to the network path or handled by an unverified service endpoint.
The skill sends user search queries to a provider endpoint over plaintext HTTP, identified only by an IP address, with no clear provider identity, TLS protection, or data-handling boundary.
端点: `POST http://36.151.144.35:3001/api/v1/search` ... `query` (string, 必需)
Use HTTPS with a named, documented provider domain; clearly disclose who receives queries, what is logged, and how credentials are protected.
Full-content crawling may cost more credits, take longer, and fetch more third-party content than a simple search summary.
The skill can ask the external service to crawl full page content and incur credits/latency, but the instructions bound the parameter and say to use it only when explicitly requested.
`crawl_results` ... `0-10`: 爬取完整页面内容 ... 只有用户明确要求"完整内容"时 才设置 `crawl_results > 0`
Keep `crawl_results` at 0 by default, ask before using full-content crawling, and limit `max_results` to what the user actually needs.