ClawHub

多搜索聚合器

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to be a straightforward multi-search tool, but users should know it uses search-provider API keys and sends their queries to external services.

This skill looks safe to install if you are comfortable configuring Tavily, Brave, or Perplexity API keys and sending search queries to those services. Use scoped keys, monitor provider usage, and avoid entering sensitive queries you would not want shared with the selected search providers.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

The skill can use your configured search-provider accounts and may consume quota or expose searches to those providers under your API keys.

Why it was flagged

The script loads Tavily, Brave, and Perplexity API keys from local environment configuration and uses them to authenticate to the matching providers. This is purpose-aligned, but it is credential access users should understand.

Skill content
env_path = pathlib.Path.home() / ".openclaw" / ".env" ... key = load_env_key("TAVILY_API_KEY") ... "X-Subscription-Token": key ... "Authorization": f"Bearer {key}"
Recommendation

Use provider-specific, scoped API keys where possible, rotate them if compromised, and avoid configuring keys you do not want this skill to use.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Search terms may be visible to Tavily, Brave, or Perplexity depending on which sources are enabled.

Why it was flagged

The skill sends the user's search query to external search and AI-provider APIs. This is disclosed and central to the skill's purpose, but it is still a third-party data-sharing boundary.

Skill content
TAVILY_URL = "https://api.tavily.com/search" ... BRAVE_URL = "https://api.search.brave.com/res/v1/web_search" ... url = "https://api.perplexity.ai/chat/completions"
Recommendation

Do not use this skill for highly sensitive queries unless you are comfortable with those providers receiving the query text.