Deep Search-mpro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks reasonable for public web research and report generation. Expect it to search/fetch web content and produce Markdown/HTML files. Avoid entering confidential research topics, verify cited sources, and inspect any optional scripts or companion skills before running or installing them. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your research topic and selected web pages may be sent to search/fetch tools and influence the generated report.
The skill directs the agent to use web search and page fetching, but it also describes scope limits and says not to do automatic traversal or bulk crawling.
使用 Agent 内置 `web_search` + `web_fetch`(无需 API key) ... 只抓取与本次研究结论直接相关的页面/段落(不进行自动遍历、批量爬取)
Use this skill for public or non-sensitive research topics, and review the cited sources before relying on the report.
If you choose to run the optional scripts, you will execute local code and install third-party Python packages.
The repository includes optional local script usage and dependency installation, but the docs describe it as optional, dry-run by default, and requiring explicit network enablement.
如果你要使用 `scripts/data_collector.py`: `pip install requests beautifulsoup4 lxml` ... 默认是 dry-run(不发起网络请求)。如需真实网络采集,请显式启用网络请求并设置请求上限。
Only run optional scripts after inspecting them, preferably in a virtual environment, and keep network request limits enabled.
It may be harder to confirm that the package came from the expected maintainer or version lineage.
The registry metadata and package metadata do not fully line up, and there is no homepage/source URL, which makes provenance verification harder.
Registry metadata: Source: unknown, Homepage: none, Version: 1.0.0; _meta.json: "ownerId": "muqi98-michael", "version": "1.0.1"
Verify the publisher and package source before installing, especially before running any optional scripts or installing optional companion skills.