ClawHub
Back to skill
v1.0.1

阿里云的联网搜索

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:23 AM.

Analysis

This appears to be a straightforward Aliyun IQS web-search wrapper that uses the expected API key and shows no hidden or destructive behavior.

GuidanceBefore installing, provide only a dedicated Aliyun IQS API key and remember that search queries are sent to Aliyun. The included artifacts do not show hidden endpoints, destructive behavior, or unrelated data access.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/search.mjs
const url = 'https://cloud-iqs.aliyuncs.com/search/unified'; ... body: JSON.stringify(requestBody)

The script sends the user-provided search query to the declared Aliyun IQS endpoint, matching the advertised search purpose.

User impactSearch terms are sent to Aliyun's IQS service and may be subject to that service's logging, quota, and policies.
RecommendationUse this skill only for queries you are comfortable sending to Aliyun and review the provider's data-handling and quota terms.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/search.mjs
if (process.env.ALI_IQS_API_KEY) { return process.env.ALI_IQS_API_KEY; } ... 'Authorization': `Bearer ${apiKey}`

The skill uses an Aliyun API key from the environment or .env file as the authorization credential for API calls.

User impactThe API key can consume your Aliyun IQS quota and has whatever permissions are attached to that key.
RecommendationUse a dedicated, least-privileged Aliyun IQS key, protect the .env file, and rotate the key if it is exposed.