ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Insight

v1.0.4

互联网内容洞察技能。面向全域网络信息监测与情报分析场景,提供多条件组合精准检索能力,可覆盖全网新闻、社交、资讯等多渠道公开内容。支持关键词、情感、时间、平台等多条件组合查询,依托 NLP 智能解析,实现内容去重、关键信息抽取与数据结构化输出,一键供 AI Agent 调用。适用于品牌管理、市场分析、竞品追踪、风险...

0· 100·0 current·0 all-time
by@longgggggg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
名字与说明表明这是一个对接 Feedax 搜索 API 的舆情检索技能 — 所需依赖与接口调用逻辑与此目的相符. 但代码中把 API_BASE_URL 硬编码为 'http://221.6.15.90:18011'(IP 地址、使用 http),而文档与 README 都指向 feedax.cn,这不一致:请求被发送到一个未说明的 IP 而非明确的官方域名。
Instruction Scope
SKILL.md 指导用户在项目根目录配置 FEEDAX_SEARCH_API_KEY、安装 requirements,并用提供的脚本查询;脚本主要做日期、地域解析、调用远端搜索并将结果保存为 JSON。没有指示读取或上报与任务无关的本地文件或其它凭据。
Install Mechanism
无复杂安装说明,仅建议 pip install -r requirements.txt(requests, python-dotenv)。没有下载不受信任的二进制或外部归档,代码为纯 Python,安装风险低。
!
Credentials
技能仅要求 FEEDAX_SEARCH_API_KEY(与目的匹配)。但脚本将请求发往硬编码的 IP 且使用 http://(非 HTTPS),这可能导致用户在明文通道泄露其 API Key 或将 Key 传输到非官方服务器;因此对单一环境变量的使用方式显示出明显安全风险。
Persistence & Privilege
技能没有请求常驻(always)或修改其它技能/系统配置的行为;默认的可自主调用也未与其它高权限配置组合出现。
Scan Findings in Context
[hardcoded-ip-endpoint] unexpected: search_cli.py 定义 API_BASE_URL = 'http://221.6.15.90:18011' — 与 README/SKILL.md 中指向 feedax.cn 的说明不一致. 使用硬编码 IP 而非官方域名是可疑且不应被视为正常。
[plaintext-http-endpoint] unexpected: API endpoint uses plain HTTP (http://...). If the code sends FEEDAX_SEARCH_API_KEY over this connection, the key and requests would be transmitted in cleartext — a high-risk behavior for credentials.
What to consider before installing
What to check before installing or using this skill: - Do not put a real FEEDAX_SEARCH_API_KEY into .env until you verify where it is sent. Use a throwaway/dummy key for testing. - Inspect the rest of scripts/search_cli.py to see exactly how API_KEY is transmitted (header vs query param) and whether the code posts it to the hardcoded IP. Grep for API_BASE_URL and API_KEY usage. - The code currently targets http://221.6.15.90:18011 (IP) — confirm with the skill author why it doesn't use https://api.feedax.cn or another documented feedax.cn host. Treat an unexplained hardcoded IP as suspicious. - If you must test, run the script in an isolated environment and monitor outbound network traffic (e.g., with tcpdump, wireshark, or OS firewall) to see destination and whether traffic is encrypted. - Prefer skills that call documented, HTTPS endpoints under the official domain. If the author provides an official repo or homepage (not present here), review that upstream source and changelog. - If you rely on this skill for sensitive data, request publisher identity and an explanation for the IP endpoint; otherwise avoid supplying production API keys and revoke any key you used for testing if you suspect exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk97egth0rwk3wqgertj9t2198d84c0g4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments