ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Iqs Search

v0.0.2

Real-time web search and page reading using Aliyun IQS APIs. Use this skill FIRST when the user needs current information, news, facts verification, URL cont...

0· 116·0 current·0 all-time
byalibabacloud-skills-team@sdk-team

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sdk-team/alibabacloud-iqs-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alibabacloud Iqs Search" (sdk-team/alibabacloud-iqs-search) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-iqs-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-iqs-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-iqs-search
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description match the included scripts (they call Alibaba IQS endpoints). However the registry metadata declares no required env vars or binaries while the code requires Node.js >=18 and an ALIYUN_IQS_API_KEY (via env or ~/.alibabacloud/iqs/env). The missing declarations are an incoherence: the skill will not function without those, so they should have been declared.
!
Instruction Scope
SKILL.md explicitly requires executing the supplied node scripts and forbids using built-in web_search/WebFetch fallbacks. That forces the agent to run local code which performs network requests. The scripts read an API key from the environment or a config file in the user's home (~/.alibabacloud/iqs/env). The instruction to avoid internal tools and always run the scripts expands agent behavior and should have been justified in metadata.
Install Mechanism
No install spec (instruction-only) and included JS scripts only — low installation risk. There is no downloading of external archives or third-party packages. However Node.js runtime is required but not declared in the registry's required binaries, which is an omission to fix.
!
Credentials
The scripts require an ALIYUN_IQS_API_KEY (via environment or config file in the user's home). The registry lists no required env vars or primary credential. Requesting a single provider API key is proportionate to the stated purpose, but failing to declare it is a security/operational gap. The code does read a user home config file path — reasonable for locating credentials but it should be documented and declared.
Persistence & Privilege
The skill is not marked always:true, does not modify other skills or system-wide agent settings, and does not request persistent elevated privileges. Its main extra privilege is that it instructs the agent to execute bundled scripts which will make outbound network calls (expected for this purpose).
What to consider before installing
This skill implements Alibaba Cloud IQS search/read via included Node scripts that POST to cloud-iqs.aliyuncs.com. Before installing: (1) Confirm you are comfortable providing an ALIYUN_IQS_API_KEY (the skill expects this but the registry metadata did not declare it). (2) Ensure Node.js >= 18 is available — again this is required but not listed in the registry. (3) Be aware the SKILL.md forces execution of the local scripts (it forbids using internal web search/fetch fallbacks), so installing gives the agent permission to run code that will make outbound requests using your API key and read a config file at ~/.alibabacloud/iqs/env if present. (4) Review the two scripts yourself (they only contact cloud-iqs.aliyuncs.com and set an X-API-Key header) and verify you trust that endpoint and how your API key will be used. (5) Ask the skill author or registry maintainer to update metadata to declare the required env var (ALIYUN_IQS_API_KEY) and required binary (Node.js), and to explain why execution of bundled scripts is mandatory rather than allowing safe fallbacks. If you cannot validate these points, do not install or provide credentials.
scripts/readpage.mjs:45
Environment variable access combined with network send.
scripts/search.mjs:37
Environment variable access combined with network send.
!
scripts/readpage.mjs:57
File read combined with network send (possible exfiltration).
!
scripts/search.mjs:49
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97es4vmgx88pyvd6awmvv3btx85ecgz
116downloads
0stars
2versions
Updated 4d ago
v0.0.2
MIT-0
alibabacloud-skills-team@sdk-team
latest
Download

alibabacloud-iqs-search

Prerequisites

  • Node.js >= 18.0.0 (scripts use native fetch API, no external npm dependencies)

When to Use

  • User asks for current/recent information
  • User provides a URL to read
  • Need to verify facts or get real-time data
  • Research tasks requiring multiple sources

Decision Tree

Step 1: Determine Operation Type

  • If user provides a URL → Use readpage
  • If user asks a question needing web info → Use search

Step 2: For Search Operations

Follow the best practices to determine parameter values. Use default values when uncertain:

  • engineType
  • timeRange
  • contents

Step 3: For Page Reading

Follow the best practices to determine parameter values. Use default values when uncertain:

  • format
  • extractArticle
  • stealthMode

CRITICAL: Execution Method

You MUST execute the scripts via bash command (e.g., node scripts/search.mjs ... or node scripts/readpage.mjs ...). Do NOT use your built-in web_search, WebFetch, or any other internal tools as substitutes. If the script fails, retry or report the error — do NOT fall back to built-in tools.

Parameters & Best Practices

Search Parameters

ParameterTypeRequiredDefaultDescription
--querystringYes-Search query (1-500 chars)
--engineTypestringNoLiteAdvancedSearch engine type
--timeRangestringNoNoLimitTime range filter
--contentsstringNo-Type of return content
--numResultsintNo10Number of search results (1-10)

Search Best Practices

1. Query Optimization (--query)

  • Keep queries concise (< 30 chars for best results)
  • Use specific keywords, avoid stop words
  • For news: include time context in query

2. Engine Selection (--engineType)

  • LiteAdvanced: Semantic search, 1-50 results, general use
  • Generic: Fast, 10 results, news/realtime

3. Time Range Selection (--timeRange)

  • NoLimit: Default when uncertain - engine optimizes based on query relevance
  • OneDay: Today only
  • OneWeek: Last 7 days
  • OneMonth: Last 30 days
  • OneYear: Last 365 days

4. Content Return (--contents)

  • mainText: Return full main text content - Use when detailed information is needed, such as technical documentation, research reports, or in-depth articles
  • summary: Return concise summary only - Use when a quick overview is sufficient, or when the page content is too large and token reduction is needed

5. Result Count (--numResults)

  • Control number of results returned (default: 10, range: 1-10)

ReadPage Parameters

ParameterTypeRequiredDefaultDescription
--urlstringYes-Target page URL
--formatstringNomarkdownReturn format
--timeoutnumberNo60000Total timeout in milliseconds
--pageTimeoutnumberNo15000Page load timeout in milliseconds
--stealthnumberNo0Enable stealth mode (0 or 1)
--extractArticlebooleanNofalseExtract main article content only

ReadPage Best Practices

1. Format Selection (--format)

  • markdown: Best for articles, preserves structure (default)
  • text: Best for data extraction
  • html: When structure analysis needed

2. Article Extraction (--extractArticle)

  • Enable for: blogs, news articles
  • Disable for: product pages, directories

3. Handling Failures (--timeout, --stealth)

  • If timeout: Retry with increased --timeout value
  • If blocked: Enable --stealth 1
  • If still fails: Report to user

Command Line Usage

Search Examples

Basic Search

node scripts/search.mjs --query "量子计算原理" --engineType LiteAdvanced

Real-time Information Search

node scripts/search.mjs --query "最新金融政策" --engineType Generic --timeRange OneWeek

Search with Results Limit

node scripts/search.mjs --query "www.aliyun.com" --engineType LiteAdvanced --numResults 3

Search with Full Content

node scripts/search.mjs --query "AI 法案" --engineType LiteAdvanced --contents mainText

Search with Summary Only

node scripts/search.mjs --query "人工智能行业年度报告" --engineType LiteAdvanced --contents summary

ReadPage Examples

Page Reading with Markdown Format

node scripts/readpage.mjs --url "https://example.com/article" --format markdown --extractArticle true

Page Reading with Plain Text Format

node scripts/readpage.mjs --url "https://example.com/article" --format text --timeout 60000

Page Reading with Stealth Mode

node scripts/readpage.mjs --url "https://example.com/article" --format markdown --stealth 1 --extractArticle true

Output Verification

After executing any search.mjs or readpage.mjs command:

  1. Check the exit code: If non-zero, the command failed — do not claim success.
  2. Verify output exists: If you saved results to a file, run ls -la <filepath> and head -20 <filepath> to confirm the file exists and contains valid data.
  3. Never fabricate results: If the command failed or returned an error, report the failure honestly. Do not generate content from your own knowledge and present it as search results.

Error Handling

ALIYUN_IQS_API_KEY Configuration Error

If the script returns an error about missing API key:

  1. STOP the current task immediately. Do NOT fall back to built-in tools (WebFetch, web_search, curl, etc.) as substitutes.

  2. Report the error to the user and ask the user to configure the API key:

  3. Retry the task with following instruction: Method 1: Environment Variable

export ALIYUN_IQS_API_KEY="your-api-key"

Method 2: Configuration File Create or edit ~/.alibabacloud/iqs/env:

ALIYUN_IQS_API_KEY=your-api-key

Comments

Loading comments...