ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tsearch Web Search

v1.0.0

网络搜索、在线检索、实时信息查询、搜索引擎搜索、Reddit等社区平台讨论、外部站点帖子和热门话题。当用户需要搜索网络上的最新信息、查找近期新闻或趋势、查询实时数据、通过搜索引擎调研话题、浏览Reddit或社区讨论、发现外部站点帖子和热门话题、获取任何在线内容、web search, online lookup,...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (web search, extraction, Reddit/forum scraping) matches the included SKILL.md, API docs, and Python client: it calls a tsearch/search endpoint and returns extracted page content. The overall capability aligns with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to perform live web searches and return unstructured extracted content (no sandboxing, no persistent storage). It also says to trigger on broad user intents (even when not explicitly saying 'search'), which increases autonomous network activity. The instructions reference a separate Feedback API endpoint for reporting issues. The instructions do not request reading local files or unrelated system data.
Install Mechanism
No install spec; included code is a small Python script using only standard library networking. No third‑party packages or remote archive installs are present.
!
Credentials
The code and API reference require an environment variable LINKFOXAGENT_API_KEY to authenticate to https://tool-gateway.linkfox.com, but the registry metadata lists no required env vars or primary credential. This is a clear mismatch: the skill will fail or prompt for an API key at runtime, and it will send user queries and content to an external third party that may log them. The presence of an undocumented credential and external endpoints is a proportionality and transparency concern.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed by default. The SKILL.md's trigger rules are broad (activate when intent suggests real-time info), so the agent may call the external API frequently unless callers restrict invocation. The skill does not request permanent system-wide privileges or modify other skills.
What to consider before installing
This skill will send user search queries and extracted page content to external LinkFox domains. Before installing: 1) Ask the publisher to declare LINKFOXAGENT_API_KEY in the registry metadata and provide a privacy/security policy describing how queries and results are logged/retained. 2) Only use the skill for non-sensitive queries (do not send secrets, credentials, proprietary text, or private data). 3) Verify the external endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) are legitimate for your organization. 4) If you need tighter control, request an option to disable automatic triggering or to prompt for approval before external calls. If the publisher cannot justify the undocumented API key or provide privacy guarantees, treat the skill with caution or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97895h86fs6q32hbp2ta5a4g58432av

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments