Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deep Research Pro Litiao
v1.0.0Multi-source deep research agent. Searches the web, synthesizes findings, and delivers cited reports. Uses Tavily API (preferred) or DuckDuckGo (fallback).
⭐ 0· 163·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README and package.json claim 'No API keys required' while SKILL.md requires TAVILY_API_KEY (preferred). That inconsistency suggests either sloppy packaging or hidden dependency on an external API not reflected in top-level metadata. The skill also references multiple local script paths (~/.openclaw/workspace/... and /home/clawdbot/...) that are outside the skill bundle — executing them is not required by the stated purpose (a self-contained research agent) unless those scripts are present, which the package does not include.
Instruction Scope
SKILL.md instructs the agent to run external node scripts and a system ddg script at absolute local paths and to curl arbitrary URLs and pipe HTML into a Python snippet. Because no code files are included in the skill bundle, the runtime depends on external scripts/tools that may contain arbitrary logic. It also writes reports to ~/clawd/research/[slug] and instructs spawning sub-agents with sessions_spawn — these actions are expected for research but carrying out external scripts in other system locations expands the execution surface and is unexpected for an instruction-only skill.
Install Mechanism
No install spec (instruction-only), which minimizes what the skill writes to disk itself. However, the instructions expect external scripts and tools (Tavily scripts under ~/.openclaw/workspace and a ddg script under /home/clawdbot/...) that are not provided — the agent will attempt to run code located elsewhere on disk or rely on the environment, which is a risk vector.
Credentials
The skill declares TAVILY_API_KEY as a required env var in SKILL.md and metadata, but README/package.json say 'No API keys required'. Requesting an API key is plausible for a 'preferred' Tavily integration, but the conflicting documentation is a red flag. Asking for a single search API key is otherwise proportionate, but the expectation that the agent will also call local scripts (not declared) increases the sensitivity: you should not provide credentials without verifying the code that will use them.
Persistence & Privilege
always:false and normal model invocation settings. The skill instructs writing reports under the user's home directory (~/clawd/research) and spawning sub-agents; these are normal for a research agent. There is no request for persistent 'always' installation or to modify other skills, but the ability to run external local scripts and spawn sessions increases the blast radius if those external scripts are untrusted.
What to consider before installing
This skill is inconsistent and needs human review before trusting it with credentials or letting it execute on your machine. Actions to consider before installing or enabling: 1) Verify whether you actually need Tavily — if not, avoid supplying TAVILY_API_KEY. 2) Inspect the external scripts the SKILL.md references (~/.openclaw/workspace/skills/tavily-search-litiao and /home/clawdbot/clawd/skills/ddg-search) — the skill will execute code there but those files are not bundled with the skill. 3) Confirm which repository and author are authoritative (metadata and README disagree). 4) If you must test, run the agent in a sandboxed environment (isolated user account or VM) without sensitive credentials. 5) Prefer an implementation that bundles or links to the exact code it expects, or replace the external-script calls with known-safe implementations you control. If you cannot verify the external scripts and metadata, treat this skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97ftn5c5y0669t345sppew7ns832mbr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔬 Clawdis
EnvTAVILY_API_KEY