Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Search powered by Aliyun IQS
v1.0.1阿里云 IQS 联网搜索引擎:通过 HTTP API 调用阿里云信息查询服务,获取实时网络搜索结果。用于需要联网检索信息的场景。
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Aliyun IQS web search) aligns with its code and instructions: it calls cloud-iqs.aliyuncs.com, uses curl to make HTTP requests and jq to parse JSON. Required binaries (curl, jq) are appropriate for this purpose.
Instruction Scope
SKILL.md and the shell script are narrowly scoped to forming a query, sending it to the documented IQS endpoints, and formatting results. The instructions only read the declared environment variable TONGXIAO_API_KEY and do not reference unrelated files, other secrets, or external endpoints beyond Aliyun.
Install Mechanism
Install spec only suggests installing jq via brew (a standard package). No downloads from arbitrary URLs or archive extraction are present. This is low-risk and proportional to the need to parse JSON.
Credentials
The skill requires an API key (TONGXIAO_API_KEY) in SKILL.md and the script enforces it, which is appropriate. However, the registry metadata summary provided earlier stated 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md. This metadata mismatch is an incoherence that could trick users or cause misconfiguration. Also the skill owner is unknown and no homepage is provided — verify you trust the key recipient before supplying credentials.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false). It doesn't modify other skills or system-wide settings. Autonomous invocation is allowed (default) which is normal; this alone is not a concern.
What to consider before installing
This skill appears to be a straightforward Aliyun IQS search client, but there are two things to check before installing:
1) Metadata mismatch: the registry summary claims no required env vars, but the SKILL.md and script require TONGXIAO_API_KEY. Do not assume the skill works without credentials — the script will fail without the key. Ask the publisher to correct the registry metadata so you can see at-a-glance what credentials are needed.
2) Source trust: the skill owner and homepage are unknown. Review the included script (scripts/iqs-search.sh) yourself — it is short and readable — and confirm the endpoint is the official Aliyun domain (cloud-iqs.aliyuncs.com). If you proceed, create an API key with least privilege and limited scope/quotas, avoid reusing high-privilege keys, and consider using a separate key you can rotate or revoke.
If anything looks unexpected (different endpoints, extra env-vars, or hidden install steps), do not provide real credentials and ask for clarifications or a published source/homepage.Like a lobster shell, security has layers — review code before you run it.
latestvk97btyrvaw3rts7zk75my9rz8h83rmj4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binscurl, jq
Environment variables
TONGXIAO_API_KEYrequired— 阿里云 IQS API Key,从控制台获取:https://ipaas.console.aliyun.com/api-keyInstall
Install jq (brew)
Bins: jq
brew install jq