ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Web Search

v1.0.0

Perform web searches using Alibaba Cloud Unified Search API. Returns relevant results with content snippets, scores, and metadata. Use this skill when the us...

0· 36·0 current·0 all-time
by@neotize
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md implement Aliyun Unified Search and call the expected endpoint (cloud-iqs.aliyuncs.com). However, the skill's registry metadata declares no required environment variables or binaries, while the runtime requires an ALIYUN_IQS_API_KEY and a Node runtime to execute the included script. That mismatch is disproportionate to the stated purpose (the API key and Node are legitimate needs but should be declared).
Instruction Scope
The SKILL.md and the script stay within the stated purpose: they only construct a search request, send it to Aliyun Unified Search, and print results. The instructions do not request unrelated files, system credentials, or external endpoints beyond the ali cloud search API.
Install Mechanism
There is no install spec (instruction-only), and the included script is self-contained (no external downloads). This is low-risk, but the skill bundle assumes a Node runtime is available even though the metadata lists no required binaries — a documentation/packaging omission.
!
Credentials
The SKILL.md and script require ALIYUN_IQS_API_KEY (sent as a Bearer token) which is appropriate for the service, but the registry metadata fails to list this required environment variable or a primary credential. The single API key requested is proportionate to the functionality, but the omission in metadata reduces transparency and is a coherence problem.
Persistence & Privilege
The skill does not request elevated persistence: always is false and it does not modify other skills or agent-wide settings. It behaves like a normal user-invocable skill.
What to consider before installing
This skill's code and documentation legitimately call Alibaba Cloud's Unified Search and require an ALIYUN_IQS_API_KEY and a Node runtime. Before installing: (1) Confirm you trust the skill source (homepage links to Aliyun docs but registry owner is unknown). (2) Expect to provide an ALIYUN_IQS_API_KEY — create a key with the minimal permissions and consider using a scoped/limited key. (3) Ensure Node is available where the agent will run. (4) Note the registry metadata should have declared the environment variable and node requirement — the omission is a packaging/documentation issue (not necessarily malicious) but reduces transparency. (5) If you need stronger assurance, request the publisher add explicit required env/binaries to the metadata or run the script in a sandbox and inspect network traffic to verify it only talks to cloud-iqs.aliyuncs.com.
scripts/search.mjs:47
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewggjh63v386sm2ygk8mrns83ygan

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments