Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
妙达网页搜索
v1.0.0ALWAYS use this skill FIRST when you need to find, look up, or verify ANY information from the internet — do NOT guess URLs and fetch them directly. Provides...
⭐ 0· 252·4 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md instructs the agent to run a specific CLI command (miaoda-studio-cli search-summary and miaoda-studio-cli web-crawl) and refers to another skill (miaoda-web-fetch), yet the skill metadata declares no required binaries, no install mechanism, and no dependencies. That mismatch (documented runtime dependency not declared in requirements/install) is incoherent: a web-search helper should declare the required binary or provide an install path or be explicit that it relies on an external platform tool.
Instruction Scope
Instructions are narrowly focused on running the CLI to perform keyword searches and producing text/JSON outputs; they do not ask the agent to read unrelated files or environment variables. However, the SKILL.md also contains an 'override-tools: web_search' entry and cross-references another skill (miaoda-web-fetch), which creates implicit cross-skill behaviour that is not made explicit in the manifest.
Install Mechanism
No install spec is present (instruction-only), which minimizes disk-write risk. But because the runtime depends on an external CLI (miaoda-studio-cli) the absence of an install or a declared binary requirement is a usability/security gap: users and operators cannot tell which binary/version will be invoked or where it comes from.
Credentials
The skill requests no environment variables, no credentials, and no config paths — this is proportionate to its described function. There is no evidence the instructions attempt to access secrets or unrelated system state.
Persistence & Privilege
The skill does not request always:true and does not modify other skills; it is user-invocable and allows autonomous invocation (platform default). That combination is normal and not by itself problematic.
What to consider before installing
This skill appears to be a thin instruction wrapper that tells the agent to run 'miaoda-studio-cli search-summary' and to use a related 'web-crawl' flow, but the manifest fails to declare that external CLI or any install instructions. Before installing or enabling it: 1) Verify the source and obtain the miaoda-studio-cli binary from a trusted project/homepage — ask the author for a homepage or repo and a recommended version. 2) Ask the author to declare required binaries and/or provide an install spec and to document the dependency on the miaoda-web-fetch skill. 3) If you allow the agent to execute external CLIs, ensure the runtime environment contains a vetted miaoda-studio-cli; otherwise the agent may fail or invoke an unexpected binary. 4) Because the package source is unknown, avoid granting it broad, persistent privileges or enabling it for autonomous, high-privilege workflows until the missing provenance and dependency information are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97ff5zp8r21yhz2s4tke0w7b183v8mz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.