Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gety-local-search
v1.0.1This skill should be used when the user wants to search for local files or documents on their computer. Trigger phrases include "帮我找文件", "搜索本地文件", "查找文档", "本...
⭐ 0· 51·0 current·0 all-time
by@lujfsd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a local-search skill that operates by invoking a 'gety' CLI — this is coherent with the stated purpose. However the skill metadata does not declare the gety binary as a required dependency, provides no homepage/source, and includes no install instructions; those omissions reduce provenance and make it unclear how the CLI will be obtained or whether it is trustworthy.
Instruction Scope
Runtime instructions stay within the stated scope: list connectors, run search, fetch document content, handle exit codes. They implicitly instruct the agent to run shell CLI commands that will access local indexed files and to add connectors (directories). The instructions do not direct data to external endpoints or request unrelated environment variables, but adding connectors can expose arbitrary filesystem paths to the search engine — the agent will therefore potentially read local content as intended.
Install Mechanism
This is an instruction-only skill with no install spec. That is low risk for disk writes by the skill itself, but the skill assumes an external 'gety' CLI is present and running. Because there is no source/homepage or guidance for obtaining a trusted binary, users may need to install software from an unknown origin — this is a provenance concern rather than direct code-injection from the skill.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to its purpose. Note that the CLI operations will access local files (as expected) but no extra secrets or unrelated credentials are being requested by the skill itself.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It's user-invocable and allows normal autonomous invocation. It does not modify other skills or system configuration in the provided instructions.
What to consider before installing
This skill is a thin wrapper for the third-party 'gety' CLI. Before installing/using it: 1) Verify where the gety binary comes from (official site, package repo) and that you trust that source — the skill metadata does not provide a homepage or install instructions. 2) If you must install gety, prefer official release channels and inspect the binary/package. 3) Be cautious when adding connectors: avoid indexing sensitive directories (password stores, SSH keys, system configs) unless you understand how gety stores and secures indexed data. 4) If you want the agent to run searches, consider running initial gety commands yourself to confirm expected output and exit codes. 5) If provenance cannot be established, do not install or run the CLI — the skill otherwise behaves as described but relies on external software of unknown trustworthiness.Like a lobster shell, security has layers — review code before you run it.
latestvk97bz846535bkmvdx23yn5sjt983gd52
License
MIT-0
Free to use, modify, and redistribute. No attribution required.