ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

多搜索聚合器

v1.0.0

多搜索聚合器 - 一次搜索调用多个引擎(Tavily、Brave、Perplexity),结果统一返回

0· 103·0 current·0 all-time
by@lirun26

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lirun26/multi-search-aggregator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "多搜索聚合器" (lirun26/multi-search-aggregator) from ClawHub.
Skill page: https://clawhub.ai/lirun26/multi-search-aggregator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install multi-search-aggregator

ClawHub CLI

Package manager switcher

npx clawhub@latest install multi-search-aggregator
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (aggregating Tavily/Brave/Perplexity search results) matches the code and instructions. However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and scripts/multi_search.py require API keys (TAVILY_API_KEY required, BRAVE_API_KEY and PERPLEXITY_API_KEY optional). The missing declaration is an incoherence: the skill will fail or silently return errors without keys, so the metadata is inaccurate.
Instruction Scope
The SKILL.md instructions and the script stay within the expected scope: they run the search script, read API keys from environment variables or ~/.openclaw/.env, and call the documented external search APIs. The example shows invoking the script via subprocess. There is no instruction to read unrelated files, exfiltrate arbitrary files, or call unexpected endpoints. Still, the skill will read ~/.openclaw/.env from the user's home; users should be aware that any secrets in that file may be read by the script.
Install Mechanism
No install spec; the skill is instruction/code-only and does not download or install external binaries. That lowers installation risk.
!
Credentials
Requesting API keys for Tavily, Brave, and Perplexity is proportionate to the stated purpose, but the skill does not declare these required env vars in its registry metadata. Moreover, TAVILY_API_KEY is effectively mandatory (the script returns an error if missing). The script reads ~/.openclaw/.env in addition to environment variables, which is reasonable for convenience but means secrets stored there will be read; the skill should explicitly list required env vars and primary credential in metadata.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide settings, and does not write files or install agents. Autonomous invocation is allowed (platform default) but not combined with other high-risk behaviors.
What to consider before installing
What to check before installing: - The skill will send your queries (and any API keys you provide) to external services (Tavily, Brave, Perplexity). If your queries contain sensitive data, they may be transmitted to third parties. - The code expects TAVILY_API_KEY (mandatory) and optionally BRAVE_API_KEY and PERPLEXITY_API_KEY. The registry metadata incorrectly lists no required env vars — confirm that you are comfortable supplying at least a Tavily API key. - The script reads credentials from environment variables or ~/.openclaw/.env. Inspect that file and avoid storing unrelated secrets there. - Verify the API endpoints and model names if you have provider-specific concerns (billing, allowed content, or data-retention policies). - If you want stronger safety: ask the publisher to update registry metadata to declare required env vars (and primary credential), or run the script in a restricted environment that limits network access or the specific API keys used. Why this is marked suspicious: the main issue is metadata inconsistency (no declared required env vars vs. script requiring keys). This is likely a packaging/metadata oversight but should be corrected or clarified before trusting the skill with credentials. Additional information that would raise confidence to benign: an updated registry entry explicitly listing the required env vars (with primary credential), or confirmation from the author that Tavily is indeed required and how keys are used/stored.

Like a lobster shell, security has layers — review code before you run it.

aggregatorvk971887n6t7vxjwj26j0zk1tah83n6aclatestvk971887n6t7vxjwj26j0zk1tah83n6acsearchvk971887n6t7vxjwj26j0zk1tah83n6actavilyvk971887n6t7vxjwj26j0zk1tah83n6ac
103downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@lirun26
aggregatorlatestsearchtavily
Download

🔍 Multi-Search Aggregator 多搜索聚合器

一次搜索调用多个搜索引擎,返回统一格式的结果。

功能

  • 多源搜索: 同时调用 Tavily、Brave、Perplexity
  • 并行执行: 多源同时搜索,速度更快
  • 统一格式: 结果标准化输出
  • 灵活配置: 可选择启用哪些搜索源

配置

API Key 配置

~/.openclaw/.env 中配置:

# Tavily (必须,至少一个)
TAVILY_API_KEY=tvly-xxx

# Brave Search (可选)
BRAVE_API_KEY=xxx

# Perplexity (可选)
PERPLEXITY_API_KEY=xxx

使用方式

命令行

# 基本搜索(默认 Tavily + Brave)
python3 scripts/multi_search.py --query "关键词"

# 指定搜索源
python3 scripts/multi_search.py --query "关键词" --sources tavily,brave

# 指定结果数
python3 scripts/multi_search.py --query "关键词" --max-results 10

# 输出格式 (md/json/unified)
python3 scripts/multi_search.py --query "关键词" --format md
python3 scripts/multi_search.py --query "关键词" --format unified

在 Skill 中调用

import subprocess
import json

result = subprocess.run(
    ["python3", "scripts/multi_search.py", "--query", "搜索内容", "--format", "unified"],
    capture_output=True,
    text=True,
    cwd="/home/admin/.openclaw/workspace/skills/multi-search-aggregator"
)

data = json.loads(result.stdout)
print(data["answer"])  # AI 摘要
for r in data["results"]:
    print(f"{r['title']} - {r['url']}")

输出格式

Markdown (--format md)

# 🔍 搜索结果: 关键词

**调用源**: tavily, brave

## 📡 TAVILY
**摘要**: AI 总结...

1. **标题**
   🔗 url
   📝 摘要...

Unified JSON (--format unified)

{
  "query": "关键词",
  "sources": ["tavily", "brave"],
  "answer": "AI 总结...",
  "results": [
    {"source": "tavily", "title": "...", "url": "...", "snippet": "..."},
    {"source": "brave", "title": "...", "url": "...", "snippet": "..."}
  ]
}

示例

搜索 AI 新闻

python3 scripts/multi_search.py --query "AI 最新的技术突破" --sources tavily --format md

聚合搜索

python3 scripts/multi_search.py --query "python 教程" --sources tavily,brave --max-results 3 --format unified

搜索源对比

优点缺点
Tavily简单可靠,有 AI 摘要需要 API Key
Brave结果丰富需要 API Key
Perplexity答案引擎需要 API Key,较慢

扩展

如需添加新的搜索源,修改 scripts/multi_search.py 中的 search_xxx 函数:

  1. 添加加载 API Key 的逻辑
  2. 实现搜索函数
  3. aggregate_search 中注册

Comments

Loading comments...