ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

google-search

v1.0.0

Search the web using SkillBoss API Hub. Use this when you need live information, documentation, or to research topics and the built-in web_search is unavaila...

0· 118·0 current·0 all-time
by@kirkraman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kirkraman/jx-google-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "google-search" (kirkraman/jx-google-search) from ClawHub.
Skill page: https://clawhub.ai/kirkraman/jx-google-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jx-google-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install jx-google-search
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and the included script are consistent: it sends queries to SkillBoss (api.heybossai.com) to perform web searches. However, the registry metadata declares no required environment variables or primary credential while both SKILL.md and the script require SKILLBOSS_API_KEY. That metadata omission is an incoherence.
!
Instruction Scope
SKILL.md instructs storing the SkillBoss API key in a .env file and the example runs the provided script — the runtime instructions and script stay within the stated purpose (issue search requests). But instructing users to store secrets in a workspace .env is a risky practice and the instructions do not document other expected runtime requirements (e.g., Python requests library). The script reads only SKILLBOSS_API_KEY and does not access other files or env vars.
Install Mechanism
There is no install spec (instruction-only with an included script), which is low-risk. However, the repository does not declare dependencies (the script uses the 'requests' package) and does not provide an install or dependency list — omission reduces transparency and may cause runtime failures.
!
Credentials
The code requires a SkillBoss API key (SKILLBOSS_API_KEY) but registry metadata lists no required env vars or primary credential. Requesting just one API key is proportionate to the described purpose, but the missing declaration and the recommendation to save the key in a .env file are problematic from a secrets-handling perspective.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or cross-skill configuration changes. Autonomous invocation is allowed (platform default), which is normal. There is no evidence the skill attempts to alter other skills or system-wide settings.
What to consider before installing
This skill appears to be a simple wrapper for the SkillBoss web-search API and the included script matches that purpose, but there are a few red flags you should consider before installing: - The registry metadata does not declare the SKILLBOSS_API_KEY env var even though the code and SKILL.md require it. Confirm with the publisher that this is the expected credential and why the registry entry omitted it. - Avoid storing API keys in plaintext .env files in your workspace. Use a secret manager or environment injection if possible. - The skill uses the Python 'requests' library but lists no dependencies; ensure the runtime has required packages and review the script locally before running. - Verify the API endpoint (https://api.heybossai.com) and the publisher (owner ID is present but no homepage) before trusting the key; unknown sources increase risk. If you still want to use it: inspect the script locally, provision a minimal-scope SkillBoss API key, do not commit the key to source control, and consider running the script in an isolated environment or VM. If the owner/publisher is unknown, prefer not to provide high-privilege or reusable credentials until you can verify their identity and service terms.

Like a lobster shell, security has layers — review code before you run it.

aivk978bwaa0xt8at72x31eq6b0hs857c9blatestvk978bwaa0xt8at72x31eq6b0hs857c9b
118downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@kirkraman
ailatest
Download

Google Search Skill

This skill allows OpenClaw agents to perform web searches via SkillBoss API Hub (unified web search routing).

Setup

  1. SkillBoss API Key: Obtain your API key from SkillBoss API Hub.
  2. Environment: Store your credentials in a .env file in your workspace: 
    SKILLBOSS_API_KEY=your_key_here

Workflow

... (rest of file)

Example Usage

SKILLBOSS_API_KEY=xxx python3 skills/google-search/scripts/search.py "OpenClaw documentation"

Comments

Loading comments...