Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deep Research Pro 1.0.2
v1.0.0Multi-source deep research agent. Searches the web, synthesizes findings, and delivers cited reports. No API keys required.
⭐ 0· 118·2 current·2 all-time
byRaidan Pro@raidan-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to perform web research using DuckDuckGo with no API keys, which fits the description; however the runtime instructions require a local ddg search script at /home/clawdbot/clawd/skills/ddg-search/scripts/ddg and use curl/python3. None of these binaries or config paths are listed in the skill's declared requirements, and the ddg script appears to be a dependency provided by another skill (not declared). Hard-coded absolute paths to another skill's script are disproportionate and fragile.
Instruction Scope
SKILL.md instructs the agent to execute commands against absolute local paths (/home/clawdbot/...), run a local ddg script, fetch arbitrary URLs with curl and pipe them into python3 -c, create directories under ~/clawd/research, and spawn sub-agents reading local skill files. These instructions reference system paths and other skills' files not declared in the metadata and grant the agent discretion to fetch and process many external URLs — all of which broaden the runtime surface beyond what's documented.
Install Mechanism
There is no install spec (instruction-only), which reduces direct install risk. However, relying on an undeclared local script (ddg) and standard tools (curl, python3) means the skill expects existing software on the host; because the script path is an arbitrary local file, execution of that script (if present) could run anything. No external downloads are specified.
Credentials
The skill requests no credentials or environment variables, which is proportionate. That said, it omits declaring required binaries (curl, python3) and required config paths (/home/clawdbot/... and ~/clawd/...), so the metadata understates what the skill actually needs and will access.
Persistence & Privilege
The skill is not set to always:true and is user-invocable (defaults). It directs saving reports under the user's home (~/clawd/research) and instructs spawning sub-agents, which are normal for a research agent. There is no explicit request to modify other skills' configurations or to remain permanently enabled.
What to consider before installing
This skill's SKILL.md hard-codes execution of a local ddg search script (/home/clawdbot/.../ddg) and uses curl/python3 but fails to declare those dependencies. Before installing: 1) Inspect the actual ddg script at the path referenced (if it exists) to verify what it runs — it could execute arbitrary commands. 2) Confirm curl and python3 are the intended tools and that running curl | python3 is acceptable in your environment. 3) Ask the author to (a) declare required binaries and config paths in metadata, (b) avoid hard-coded absolute paths or provide a packaged ddg-search dependency, or (c) switch to an explicit network API call or a bundled, auditable search implementation. 4) Run the skill in a restricted/sandboxed environment first and monitor filesystem and network activity. If you cannot inspect the ddg script or the environment where it will run, treat this skill as risky and avoid granting it execution privileges.Like a lobster shell, security has layers — review code before you run it.
latestvk974bdm9a57tzfjf7w0pjsjzn183jsy3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔬 Clawdis