ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Web Search

v1.0.0

阿里云实时搜索 | Aliyun Real-time Web Search with Quark Engine

1· 756·4 current·4 all-time
by@xiaoyunbowen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: the skill needs an Aliyun API key and a service host and performs POST requests to an Aliyun OpenSearch web-search endpoint. Nothing requested (env/config) appears unrelated to web search.
Instruction Scope
SKILL.md instructs the agent and user to obtain an API key, set ALIYUN_SEARCH_API_KEY and ALIYUN_SEARCH_HOST, add them to openclaw.json, and restart the gateway—these steps are expected. The bundled script posts the query to the configured host and uses the API key in an Authorization header. Notes: the README examples show HTTP URLs (prefer HTTPS in production); the script hardcodes workspace/service IDs which may need adjustment for some instances; the script assumes curl is available but required binaries were not declared.
Install Mechanism
Instruction-only skill with a small helper script and no install spec. No downloads or external installation steps, so low install risk.
Credentials
Only two environment variables are required (ALIYUN_SEARCH_API_KEY and ALIYUN_SEARCH_HOST), both directly used by the script. The number and naming of env vars are proportional to the skill's function.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It asks the user to add its env entries to openclaw.json (normal) and to restart the gateway; it does not modify other skills or system settings autonomously.
Assessment
This skill appears to do exactly what it claims: call your Aliyun OpenSearch instance using the API key and host you provide. Before installing: 1) Verify you use the correct ALIYUN_SEARCH_HOST (pointing to Aliyun domains) — pointing the host to an attacker-controlled URL would expose your API key. 2) Prefer HTTPS endpoints rather than the HTTP examples in the docs. 3) Ensure curl is available in the runtime environment (the script uses curl but 'curl' wasn't listed in required binaries). 4) Check and, if necessary, update the hardcoded workspace/service_id in scripts/search.sh to match your instance. 5) Store the API key with least privilege and avoid sharing openclaw.json with others. If you need higher assurance, inspect or run the script in a sandboxed environment and confirm network traffic goes only to your Aliyun hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk973frmgszs0dyvb0wem2s743181httb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
EnvALIYUN_SEARCH_API_KEY, ALIYUN_SEARCH_HOST

Comments