Union Search Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a broad multi-platform search and download skill whose main behavior is coherent, but it asks for many API keys and session cookies that are not declared in the registry metadata.
Review the credential template before installing. Prefer API keys over account cookies, do not provide browser/session cookies unless you understand the specific command that will use them, and keep downloads and saved raw responses in a directory you can inspect and clean up.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill may use third-party account credentials or session cookies to make searches or downloads on the user's behalf.
The template asks users to provide many API keys and account/session cookies, while the registry metadata says there are no required environment variables and no primary credential. The API keys are purpose-aligned for search integrations, but raw cookies and cookie-file access can carry broad account authority and are under-declared.
GITHUB_TOKEN=your_github_token_here ... TIKHUB_TOKEN=your_tikhub_token_here ... WEIBO_COOKIE=your_weibo_cookie_here ... ZHIHU_COOKIE=your_zhihu_cookie_here ... YTDLP_COOKIES_FILE=
Use dedicated, least-privilege API keys where possible, avoid pasting full account cookies unless necessary, and review which commands use each credential before running them.
Running the download commands may create many local files or download media from third-party platforms.
The skill documents batch image downloads and yt-dlp-based media downloads. These are consistent with the skill's stated purpose and appear user-directed, but they can write many files locally.
python union_search_cli.py image "cute cats" ... --limit 20 --output-dir ./cat_images ... python union_search_cli.py download "https://www.youtube.com/watch?v=dQw4w9WgXcQ" --output-dir ./downloads
Set explicit output directories, limits, and selected items before running download commands.
Users may need to fetch additional code outside the registry, which changes what code they are trusting and running.
The README says Hub-installed versions may be incomplete and recommends obtaining a fuller copy from an external GitHub repository. This is disclosed and not automatically executed, but it creates a provenance and completeness issue for users.
通过 Core Hub 安装的版本会缺失部分文件 ... 推荐直接从 GitHub 仓库下载完整版本:https://github.com/anyangrc/union-search-skill
Install only from a trusted source, verify the repository and version, and avoid mixing unreviewed external files with the registry package.
Search history and raw results may remain in local files after use.
The skill can persist raw search/API responses and compare them later. This is purpose-aligned, but it may retain user queries and third-party response data on disk.
自动响应归档 ... 原始响应: 保存在 `responses/` 目录(使用 `--save-raw` 参数) ... 使用保存的响应文件比较跨平台结果
Avoid saving raw responses for sensitive searches, and periodically delete `responses/` or `search_logs/` files you no longer need.