Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DeepDive OSINT
v1.0.0Autonomous OSINT investigation tool. Give it a name, company, or event — it searches, extracts every entity, and maps connections into an interactive 3D grap...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description (autonomous OSINT, graphing, web extraction) align with required binaries (python3, git, pip3) and the declared uv package (duckduckgo-search). However, the SKILL.md also instructs an additional automatic git clone + pip install of the 'deepdive' GitHub repo which is not reflected in the registry install spec — a discrepancy worth noting.
Instruction Scope
Runtime instructions tell the agent to clone https://github.com/Sinndarkblade/deepdive and run pip install -r requirements.txt, import and execute code from that repo, start a local server, open local files with xdg-open, and save investigations under ~/deepdive. Those actions reach beyond simple in-skill commands: they download and execute arbitrary remote code and create persistent data on disk.
Install Mechanism
Registry lists only a uv install (duckduckgo-search -> ddgs), but the SKILL.md performs a git clone from GitHub and runs pip to install the repo's requirements. Cloning and pip-installing a third‑party repo on first run is a high-risk install pattern because it executes code pulled from upstream without verification.
Credentials
The skill declares no required env vars, but it uses and writes config at ~/.deepdive/settings.json (not declared) and recommends configuring external AI providers (which would require API keys). The skill's instructions therefore implicitly require storing/using credentials and config files that weren't declared in the metadata.
Persistence & Privilege
always:false and model invocation are normal, but the skill will create ~/deepdive and investigations, and pip-install dependencies into the Python environment. This grants persistent disk presence and can affect the host Python environment (global installs), which is a non-trivial privilege even if not 'always' enabled.
What to consider before installing
This skill will (on first run) clone and pip-install a third-party GitHub repository and create a ~/deepdive directory with investigation data. Before installing, review the GitHub repo and its requirements.txt for malicious or surprising dependencies. If you proceed, run the skill in an isolated environment (VM/container) or use a dedicated Python virtualenv to avoid global pip installs. Do not place sensitive API keys into ~/.deepdive/settings.json or the web UI unless you fully trust the upstream code. Prefer manual installation and code inspection over automatic 'first run' installs; if you need the capability but want lower risk, ask the maintainer for a vetted release or run the tool from a checked-out copy you control.Like a lobster shell, security has layers — review code before you run it.
latestvk973vwv5rbkeafkpnksy0fan5984v5pn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
OSLinux · macOS · Windows
Binspython3, git, pip3
Install
uv
Bins: ddgs
uv tool install duckduckgo-search