Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Metaso Search
v1.2.0中文AI搜索引擎,深度理解搜索意图,精准提供结构化无广告的中文信息查询与回答服务。
⭐ 0· 957·9 current·11 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill declares and documents a Chinese AI search integration that calls https://metaso.cn/api/v1/search and requires an API key — that is coherent. However, skill.json and SKILL.md reference an entry script (metaso.ps1) and local command invocations (\.\skills\metaso-search\metaso.ps1), but no code files are present in the package. The absence of the claimed executable/script is an incoherence that needs explanation.
Instruction Scope
SKILL.md's runtime instructions stay on-topic (set METASO_API_KEY, call the documented Metaso API endpoint, example request/response). They do suggest storing the key in a local 'secrets/key存储文档.txt' and running a local PowerShell script — referencing a local secrets file is related to the task but encourages a plaintext storage location. The bigger issue is the instructions expect a local script to be run even though none is provided; that could prompt an agent or user to fetch or execute missing code from an external source if allowed.
Install Mechanism
There is no install spec (instruction-only). That is low-risk in itself because nothing is written to disk by an installer. The risk arises from the missing entry script — the skill may cause an agent or user to attempt to download or run code that isn't bundled.
Credentials
skill.json and SKILL.md require a single env var (METASO_API_KEY), which is proportionate for an API-based search integration. There is an inconsistency in the provided metadata summary (top-level metadata stated 'Required env vars: none') versus skill.json/SKILL.md that list METASO_API_KEY — this mismatch should be resolved. The instructions also recommend storing the key in a plaintext 'secrets' document, which is a security practice concern (prefer environment variables or secure secret stores).
Persistence & Privilege
The skill does not request 'always: true' nor any unusual system privileges, does not declare config-path requirements, and does not modify other skills. The default ability for the agent to invoke the skill autonomously is normal but note that autonomous use would allow the skill to call external API endpoints using the supplied API key.
What to consider before installing
This package claims to be a PowerShell-based Metaso search skill but contains only documentation — no metaso.ps1 or other code. Before installing or enabling it: 1) ask the publisher for the missing script or a trustworthy source (e.g., official repo/release) and verify its contents; 2) do not paste your METASO_API_KEY into plaintext files — prefer environment variables or a secure secret store; 3) confirm that https://metaso.cn is the legitimate API endpoint and that you trust the operator to receive queries and logs tied to your API key; 4) if you allow the agent to run the skill autonomously, understand it will send your queries and API key to that external service; and 5) avoid enabling the skill until the packaging inconsistency (documented entry script vs. missing code) is resolved. If the author provides the missing script, review its code for unexpected file or network access before use.Like a lobster shell, security has layers — review code before you run it.
latestvk9795yr2aeedgk22wgqazj40k180xjz6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.