media-search
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent media-search tool, but it handles required API credentials unsafely by logging access tokens and disabling HTTPS certificate verification.
Use this skill only if you trust the media-data provider and can patch or accept the credential-handling risks. Before installing, remove token/header logging, enable HTTPS certificate verification, declare the required API credentials in metadata, and periodically clean the token cache and sources output folder.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the logs or command output could potentially reuse the media-platform access token until it expires or is rotated.
The authenticated API token is placed in request headers and then the full headers object is logged, which can expose the token in console output, logs, or agent transcripts.
headers = { ... "token": access_token, } ... self.logger.info(f"请求头: {headers}")Remove or redact token/header logging before use, rotate any token exposed during testing, and keep logs/transcripts private.
On an untrusted network or behind a malicious proxy, API credentials or tokens could be intercepted without certificate-validation protection.
The API secret is sent to the token endpoint while TLS certificate verification is disabled; the file also suppresses urllib3 insecure-request warnings.
data = {"grant_type": "secret", "appid": appid, "secret": secret,} ... requests.post(... timeout=30, verify=False)Enable certificate verification, remove warning suppression, and make any custom CA/proxy configuration explicit and user-controlled.
The install or permission view may understate that this skill needs API credentials for a third-party media-data service.
The registry metadata does not declare credentials, while SKILL.md/README/code require NEWS_BIGDATA_API_KEY and NEWS_BIGDATA_API_SECRET.
Required env vars: none ... Primary credential: none
Declare the required environment variables and credential purpose in metadata so users understand the account access being granted.
Search topics, sources, and results may remain on disk after the task and be visible in later local review or backups.
The skill persists complete search queries and results locally for audit/reuse, which is disclosed and scoped but may retain sensitive research topics.
所有搜索结果都会自动保存到 `sources/` 目录 ... 保存内容:完整的查询参数、搜索结果、时间戳
Review and delete sensitive files in the sources folder when no longer needed, or make autosave opt-in for sensitive investigations.