ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

automation-skill

v1.0.0

自动化综合技能包。提供多引擎并行搜索(百度/必应/Google/DuckDuckGo等)、每日复盘记录与分析两大实战脚本。当用户需要:1)高效批量搜索("帮我搜XXX"、"多引擎搜索");2)自我反思与成长记录("记录这次反思"、"生成复盘报告");3)搜索和安装技能("安装XX技能")时触发。

0· 14·0 current·0 all-time
by@xunet2025
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/SKILL.md claim three primary features: multi-engine search, daily reflection, and a 'find-skills' / skills discovery/install ability. The distributed package contains working Python scripts for search and reflection, but there is no implementation for 'find-skills' or skills installation. Several engines listed in docs (e.g., sogou/toutiao/brave/wolfram) are included in ENGINES but parsers for some are missing or unimplemented, so the advertised full-engine support is inaccurate. The SKILL.md footer claims version 2.0.0 while registry metadata is 1.0.0 — another mismatch.
!
Instruction Scope
Runtime instructions are mostly limited to running the included scripts and installing the 'requests' package. However the reflection script reads/writes files under the user's home (~/.qclaw/memory/memory.md) and the README/SKILL.md reference that path as the memory store; this file-system access is not declared in the skill's metadata (requires.config paths). The search script issues outbound HTTP requests to multiple public search engines for whatever keywords the user supplies — meaning user-supplied queries (possibly sensitive) will be transmitted to external services. The SKILL.md also claims a 'find-skills' trigger and integration (skills.sh / ClawHub) but gives no runtime steps for safely discovering/installing other skills.
Install Mechanism
There is no packaged installer; it's instruction-only with two Python scripts. The only third-party dependency used is 'requests' (installed via pip in the docs). No archive downloads, no remote install URLs, and no obfuscated/compiled binaries — low install risk in that sense.
!
Credentials
The skill declares no required env vars or config paths, but scripts will create and write to ~/.qclaw/memory and memory.md (HOT_FILE). That is persistent local state and was not declared in the skill metadata. Network access is required (search requests) and will expose user search terms to external search engines. No other credentials are requested, which is proportionate, but the undeclared file writes and external queries are notable.
Persistence & Privilege
The skill is not 'always: true' and does not request elevated platform privileges. It does create persistent files under the user's home directory (~/.qclaw/memory/), which is normal for a journaling tool but is persistent state the user should be aware of. It does not modify other skills or system-wide settings.
What to consider before installing
This package mostly does what it says: two Python scripts for multi-engine searching and a local reflection journal. Before installing or running it, consider the following: - Review the scripts yourself (they are included). They make outbound HTTP requests to public search engines for whatever query you provide — avoid sending secrets or sensitive queries. - The reflection tool will create and append to ~/.qclaw/memory/memory.md (persistent local data). Back up or inspect that file if you care about privacy. The skill metadata did not declare this path. - The SKILL.md and README claim a 'find-skills' / skills-install integration and broader engine support; those features are not implemented or are only partially implemented. Treat those claims as overstated. - If you plan to run the search tool on a shared or production machine, consider running it in a sandbox or VM and monitor network traffic. - If you want to proceed, run 'pip install requests' in a controlled environment and test the scripts with non-sensitive queries. If you need the 'find-skills' capability, request clarification from the author or avoid trusting the skill until that feature is provided and audited.

Like a lobster shell, security has layers — review code before you run it.

aivk97dbxjpxnfs8grafy2e9x91md84mw2dautomationvk97dbxjpxnfs8grafy2e9x91md84mw2dlatestvk97dbxjpxnfs8grafy2e9x91md84mw2dproductivityvk97dbxjpxnfs8grafy2e9x91md84mw2dsearchvk97dbxjpxnfs8grafy2e9x91md84mw2d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments