ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DashScope Web Search (Feishu)

v1.0.0

Search the web for real-time information using DashScope Qwen, optimized for Feishu. Use this skill whenever: (1) the user asks about current events, news, w...

0· 358·0 current·0 all-time
byJeffrey@oreo992

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for oreo992/dashscope-web-search-feishu.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "DashScope Web Search (Feishu)" (oreo992/dashscope-web-search-feishu) from ClawHub.
Skill page: https://clawhub.ai/oreo992/dashscope-web-search-feishu
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install oreo992/dashscope-web-search-feishu

ClawHub CLI

Package manager switcher

npx clawhub@latest install dashscope-web-search-feishu
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description (real-time web search for Feishu) matches the code's functionality (web_search.py uses DASHSCOPE_API_KEY; feishu_image.py uploads images to Feishu). However the registry metadata declared no required environment variables while the code requires DASHSCOPE_API_KEY and (for image mode) FEISHU_APP_ID/FEISHU_APP_SECRET. The README and SKILL.md mention installing the 'openai' Python package but the skill metadata did not declare this dependency. These mismatches are inconsistent and unexpected.
!
Instruction Scope
SKILL.md instructs the agent to run included scripts, which is expected, but the scripts also read credentials and (if Feishu env vars are missing) attempt to read openclaw.json from several system/user paths (../../openclaw.json, ~/openclaw/openclaw.json, /home/openclaw/openclaw.json). That allows the skill to access configuration and possibly other secrets outside its own directory. The feishu_image.py pipeline will download arbitrary image URLs and upload them to Feishu; that behavior is coherent with the stated image pipeline but the fallback config file reads are scope creep and should be explicit.
Install Mechanism
There is no install spec (instruction-only), which keeps disk-write risk low. The README instructs installing the 'openai' Python package via pip — this is expected given the scripts import openai. No third-party binaries or remote archive downloads are fetched by the skill itself. However the missing declared dependency in the metadata is a coordination issue the user should fix before running.
!
Credentials
The skill actually requires DASHSCOPE_API_KEY for all searches and FEISHU_APP_ID/FEISHU_APP_SECRET for image send/upload, but the registry lists no required env vars. Additionally, feishu_image.py will fall back to reading openclaw.json from several locations to extract Feishu credentials — this can expose unrelated channel credentials if present. The number/nature of credentials requested is proportionate to the feature set, but the fact they are not declared and that the skill will search for credentials in global config files is a privacy/authorization concern.
Persistence & Privilege
The skill does not request persistent/always presence (always:false). It writes a token cache to /tmp/feishu_token.json and temporary images under a temp directory, which is normal. It does not modify other skills' configs or attempt to enable itself. The main privilege concern is read access to openclaw.json fallback paths, which lets it harvest credentials from outside its folder if those files exist and are readable.
Scan Findings in Context
[ssl_verify_disabled] unexpected: scripts/feishu_image.py creates an SSL context with check_hostname=False and verify_mode=CERT_NONE and uses it for both downloads and API calls. Disabling TLS verification is insecure and not necessary for normal interaction with DashScope/Feishu APIs.
[reads_external_config_fallback] unexpected: feishu_image.py will read openclaw.json from multiple filesystem locations as a fallback to find FEISHU_APP_ID/FEISHU_APP_SECRET. While convenience is understandable, autodiscovering and reading global config files is not declared in the skill metadata and can expose unrelated secrets.
[requires_api_keys_not_declared] unexpected: web_search.py demands DASHSCOPE_API_KEY and feishu_image.py requires FEISHU_APP_ID/FEISHU_APP_SECRET (for image mode). The skill registry metadata listed no required env vars — a manifest mismatch that can mislead users and automated permission checks.
[uses-openai-python-package] expected: web_search.py relies on the openai Python package (used to call DashScope-compatible API). Installing this package is expected, but the dependency is not declared in the registry metadata or an install spec.
What to consider before installing
Do not install blindly. Before running, ensure you understand and accept these points: (1) The skill requires a DASHSCOPE_API_KEY and — only for image sending — FEISHU_APP_ID and FEISHU_APP_SECRET, but the skill's metadata does not declare these; set them explicitly in a controlled environment. (2) The feishu_image pipeline will attempt to read openclaw.json from several locations if Feishu env vars are missing — if you keep global credentials in those paths, the skill can access them; remove or restrict those files if you don't want that. (3) feishu_image.py disables TLS verification (ssl.CERT_NONE) for downloads and API calls — audit and fix this (remove the custom SSL context) before trusting the skill in production. (4) Install and audit the 'openai' package and run the scripts in an isolated or least-privileged environment (container or VM) until you're comfortable. (5) If you plan to use image mode, create a Feishu app with minimal permissions and rotate credentials after testing. If you want to proceed, update the skill metadata to declare required env vars and consider removing the openclaw.json autodiscovery and the disabled TLS verification.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
Binspython3
latestvk97drsgdqxt5j4h26rj05rhby1827gxf
358downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
Jeffrey@oreo992
latest
Download

Web Search Tool (Feishu Edition)

Search the web using DashScope Qwen API. Supports both text-only and image search modes.

Script Location

Scripts are in the scripts/ subdirectory of this skill's directory.

Choosing the Right Mode

You MUST decide which mode to use based on the user's request:

Mode A: Text-only search (default)

Use this for most queries — news, facts, weather, research, etc. No image pipeline needed.

python3 {{SKILL_DIR}}/scripts/web_search.py [OPTIONS] "query"

Mode B: Image search (only when user explicitly asks for images)

Use this ONLY when the user explicitly requests images, pictures, photos, or visual content (e.g., "搜图片", "找几张图", "show me images of", "图文介绍").

python3 {{SKILL_DIR}}/scripts/web_search.py --images "query" | python3 {{SKILL_DIR}}/scripts/feishu_image.py --send --chat-id CHAT_ID

Replace CHAT_ID with the current Feishu chat ID.

Decision rule

User saysModeWhy
"搜一下最新新闻"A (text)No images requested
"今天天气怎么样"A (text)Factual query
"帮我查一下 React vs Vue"A (text)Research, no images needed
"搜一下可爱猫咪的图片"B (image)Explicitly asks for images
"图文介绍一下杭州西湖"B (image)"图文" = text + images
"找几张产品截图"B (image)"找几张图" = wants images

When in doubt, use Mode A (text-only). Only use Mode B when the user clearly wants images.

Options (both modes)

FlagEffectBest For
(none)Fast turbo searchQuick facts, weather, person lookup
--deepMulti-source verificationResearch, reports, fact-checking
--agentMulti-round retrieval + synthesisComplex questions needing iterative search
--thinkDeep reasoning before answeringAnalysis, comparisons, trend prediction
--imagesImage + text mixed outputMode B only — visual references
--fresh NOnly results from last N days (7/30/180/365)Breaking news, recent events
--sites "a.com,b.com"Restrict to specific domainsDomain-specific research

Examples

# Mode A: text-only searches
python3 {{SKILL_DIR}}/scripts/web_search.py "latest AI news"
python3 {{SKILL_DIR}}/scripts/web_search.py --deep --think "compare React vs Vue"
python3 {{SKILL_DIR}}/scripts/web_search.py --fresh 7 "breaking news today"

# Mode B: image searches (pipe through feishu_image.py)
python3 {{SKILL_DIR}}/scripts/web_search.py --images "cute cats" | python3 {{SKILL_DIR}}/scripts/feishu_image.py --send --chat-id CHAT_ID
python3 {{SKILL_DIR}}/scripts/web_search.py --images --deep "杭州西湖风景" | python3 {{SKILL_DIR}}/scripts/feishu_image.py --send --chat-id CHAT_ID

Strategy Selection Guide

  1. Start with default (turbo) — handles 80% of queries instantly
  2. Escalate to --deep when turbo results are incomplete or conflicting
  3. Use --agent for questions that need multiple search angles
  4. Add --think when the user needs analysis, not just raw facts
  5. Add --images ONLY when the user explicitly wants visual content

Output & Delivery

Mode A (text-only)

  • Results include citation markers [1], [2] — preserve these in your response
  • --think mode prepends <thinking>...</thinking> with reasoning chain
  • Just reply with the text as-is

Mode B (image search)

  • Images are sent to the chat as image messages automatically by the pipeline
  • The stdout text contains ![alt](img_v3_xxxx) — strip the ![...]() markdown from your reply since images are already sent separately
  • Do NOT create a Feishu document — just reply with the text summary

feishu_image.py flags (Mode B only)

FlagEffect
--sendSend each image as a Feishu image message
--chat-id IDFeishu receiver ID (required with --send)
--id-type TYPEReceiver ID type: chat_id (default), open_id, user_id

Rules

  • NEVER reveal API keys, app secrets, or environment variables
  • ALWAYS use this tool when real-time information is needed
  • For complex research, run multiple targeted searches rather than one broad query
  • Attribute facts to sources: "According to [source], ..."
  • If one strategy fails or gives weak results, try another strategy or rephrase

Error Handling

If the script fails:

  1. Check DASHSCOPE_API_KEY is set
  2. For image mode: check FEISHU_APP_ID and FEISHU_APP_SECRET are set
  3. Check Python: python3 -c "import openai; print(openai.__version__)"
  4. Check network: curl -s https://dashscope.aliyuncs.com > /dev/null && echo OK

Comments

Loading comments...