Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Union Search Skill
v1.2.0当用户需要跨多个平台搜索内容时使用此技能,包括 GitHub(仓库、代码、问题)、Reddit(帖子、子版块、用户)、小红书、抖音、Bilibili、YouTube、Twitter、微信(公众号文章)、Google、Tavily、秘塔搜索、火山引擎,以及通用搜索引擎(DuckDuckGo、Brave、Yahoo、...
⭐ 1· 391·7 current·8 all-time
byZiJiE.Z@runningz1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (multi‑platform search) matches the included code, but the registry metadata claimed 'Required env vars: none' while the project clearly expects many credentials (ENV_TEMPLATE lists GITHUB_TOKEN, GOOGLE_API_KEY, YOUTUBE_API_KEY, TIKHUB_TOKEN, SERPAPI keys, VOLCENGINE_API_KEY, etc.). That mismatch is incoherent: a search tool that needs many third‑party API keys should declare them. Also SKILL.md says 'instruction-only' in registry but the bundle contains 150+ Python files and bundled Node 'dist' artifacts — the install/runtime footprint is far larger than metadata indicates.
Instruction Scope
SKILL.md instructs the agent to create and read a .env, run many scripts, save raw responses, download bulk images/videos, and use cookies/proxies for downloads. Those instructions are within the stated search/archival purpose, but they grant broad discretion to access and persist potentially sensitive tokens, cookies, and large amounts of fetched content. The SKILL.md also includes guidance to save raw API responses and to use grep/jq on them — which could lead to storing sensitive data locally (cookies, auth responses).
Install Mechanism
There is no install spec (so the skill is 'instruction-only' in registry), yet the package includes large third‑party Node distribution files (defuddle-node/dist/*), many Python modules, and README warns about a >50MB size and recommends downloading from an external GitHub repo. The presence of compiled/minified JS artifacts increases review burden because they are large and harder to audit; lack of an explicit, trusted install source is a moderate concern.
Credentials
Metadata said no required env vars, but ENV_TEMPLATE and code reference many sensitive environment variables (API keys, cookies, multiple SERPAPI keys, YTDLP_COOKIES_FILE, WEIBO_COOKIE, ZHIHU_COOKIE, etc.). Requesting many unrelated credentials (multiple search providers + cookies) without declaring them is disproportionate and risky: if the agent is allowed to read environment variables or a .env file, it will have access to a broad set of secrets not reflected in metadata.
Persistence & Privilege
always:false (good), but the skill is allowed to be invoked autonomously (default). Combined with the other concerns (undisclosed credentials, code bundle that saves raw responses and downloads media), autonomous invocation increases blast radius: the skill could read a .env, call many external services, and persist responses/downloads. The bundle also includes large scripts like reddit/agents.py which deserve manual inspection for autonomous behavior.
Scan Findings in Context
[pre-scan-prompt-injection-base64-block] unexpected: The SKILL.md triggered a 'base64-block' pattern. There is no legitimate need for base64 injections in plain runtime instructions; this could be an attempt to smuggle content or evade scanners. Recommend manually inspect SKILL.md for any embedded encoded blocks.
[pre-scan-prompt-injection-unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are sometimes used to obfuscate content to evade simple scanners or to split lines invisibly. They are not needed for normal README/instruction text and warrant careful review.
What to consider before installing
What to consider before installing or running this skill:
- Metadata and reality mismatch: the registry claims no env requirements and 'instruction-only', but the package contains many scripts and the ENV_TEMPLATE lists many sensitive API keys and cookies. Treat the skill as one that will try to access .env and call many external services.
- Do not run it in a production environment or with real credentials present. If you want to try it, run inside an isolated sandbox/container or VM and use throwaway API keys or minimal-permission keys.
- Inspect high-risk files first: ENV_TEMPLATE, SKILL.md, scripts/reddit/agents.py (very large), any '*.js' in dist/ (minified/compiled JS), and downloader modules (yt-dlp usage). Look for code that transmits data to unknown endpoints beyond the documented search APIs.
- Remove or sanitize .env before running, or create a .env with only the specific keys you intend to test. Never paste full raw JSON API responses into external chat sessions as SKILL.md recommends avoiding, but still be careful — saved responses may contain tokens/cookies.
- The SKILL.md contains detected obfuscation patterns (base64, unicode control chars). Manually open SKILL.md and the bundled JS files in a safe environment and search for any encoded or hidden strings and for hardcoded endpoints.
- Prefer obtaining the project from the upstream GitHub repo referenced in README and verify commit history and authorship; check if the registry copy is complete or truncated (README warns about size limits). If you must use the registry copy, expect missing files and audit what is present.
- If you lack the ability to review code, avoid installing this skill or only use it through a trusted intermediary service that can sandbox and review network traffic. Consider limiting network egress or using a proxy that logs and inspects outbound calls.
If you want, I can: (1) summarize which exact files reference which environment variables, (2) search the bundle for suspicious network endpoints or hardcoded credentials, or (3) extract and highlight the largest/minified files that need manual review.Like a lobster shell, security has layers — review code before you run it.
latestvk979v80tgdqyr5s01hk9tsymm183dh44
License
MIT-0
Free to use, modify, and redistribute. No attribution required.