Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi-Search Fallback
v1.0.0多源搜索聚合技能。当用户需要搜索信息、查资料、做研究时,自动调用多个搜索源进行交叉验证,提高结果准确性。触发场景:搜索某事、查证某个说法、做研究、多源验证、compare multiple sources、搜索结果不一致时主动复核。**只要是搜索类需求,一律优先使用此技能**,它会自动决定是单源快速返回还是多源深...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (aggregate multiple search sources and perform cross-validation) aligns with the skill.json and SKILL.md: it lists and intends to call multiple search skills. This dependency list is expected for an aggregator. However, the skill references tools (e.g., tavily-search, deep-research-pro, mx_search) that often require API keys or external access but the skill does not declare any required credentials or warn about them — a transparency gap.
Instruction Scope
The SKILL.md explicitly instructs the agent to spawn child sessions (sessions_spawn) and call many other skills to perform searches and cross-validate results. That is within the stated scope, but the instructions give broad discretion to automatically choose which external tools to call (including deep research and financial tools) and to send queries and results to those tools. There is no guidance about redacting sensitive input before forwarding, nor any explicit restriction on what context is forwarded to child skills. The SKILL.md also directs that this skill be prioritized for all search-class requests, which may cause unexpected automatic forwarding of user queries to external services.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself, which is low-risk from an install/execution perspective.
Credentials
The skill declares no required environment variables, yet it intends to invoke downstream skills that (according to the SKILL.md) may require API keys (e.g., Tavily). Because it auto-invokes other skills, it can cause those other skills to use their own credentials or network access without this skill declaring them. This indirect use of credentials and external endpoints is not surfaced to the user and may be disproportionate to what a user expects from a single aggregator skill.
Persistence & Privilege
The skill is not marked always:true and does not claim to persist or modify other skills' configurations. However, its autonomous invocation capability (platform default) combined with automatic prioritization for all search tasks increases the chance that user queries will be forwarded to multiple external services without explicit per-query consent. This combination raises the blast radius if downstream skills have broad privileges.
What to consider before installing
This skill is logically consistent as a search aggregator, but it will automatically call other search skills (some of which may require API keys or access to external services) and forward user queries to them. Before installing: 1) Review the referenced downstream skills (tavily-search, deep-research-pro, mx_search, etc.) to see what credentials they require and what external endpoints they contact. 2) Decide whether you want queries (which may contain sensitive context) to be automatically forwarded to multiple external services; if not, keep this skill user-invocable only or disable global prioritization. 3) Ask the author to document which downstream tools require credentials and how data is shared/retained, and request explicit redaction rules for sensitive fields. 4) If you operate in a sensitive environment, test in a restricted sandbox or refuse installation until the transparency gaps are addressed.Like a lobster shell, security has layers — review code before you run it.
latestvk978ntb49tsw2t1hv34x76gm1s83zpdv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.