ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multi Search Engine 2

v1.0.0

Multi search engine integration with 17 engines (8 CN + 9 Global). Supports advanced search operators, time filters, site search, privacy engines, and WolframAlpha knowledge queries. No API keys required.

1· 2k·22 current·28 all-time
by@phucanh08
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (aggregating 17 search engines and building search URLs) aligns with the SKILL.md, config.json, and reference files: the listed engine URLs and operators match the description and there are no unexpected credentials or binaries required. However there are metadata inconsistencies: the registry metadata at the top lists version 1.0.0 and owner ID kn75k3... while the included _meta.json shows ownerId kn79j8... and version 2.0.1. Source is unknown and no homepage or upstream repo is provided, which reduces provenance confidence.
Instruction Scope
Runtime instructions are instruction-only and simply show constructing search URLs and calling web_fetch on public search endpoints — no local file, environment, or system-path access is requested. That is coherent. However the examples and guides explicitly demonstrate advanced operators (e.g., intext:password, filetype:txt, cache:) that can be used to locate leaked credentials or other sensitive information (OSINT). While that capability is inherent to search engines, including such examples increases the potential for misuse and data-exposure activities.
Install Mechanism
No install specification and no code files executed at runtime beyond agent-invoked web_fetch calls. This instruction-only form minimizes on-disk code risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths — consistent with the stated functionality (no API keys required).
Persistence & Privilege
always is false and the skill does not request special persistence or modify other skills. Autonomous invocation is allowed (platform default), which is expected; combine this with other risks (unknown publisher) when deciding to enable autonomous runs.
What to consider before installing
This skill appears to do what it says (construct and fetch public search URLs) and requires no credentials or install. Still, consider the following before installing: 1) Provenance: the publisher and file metadata disagree (owner ID and version mismatches) and there's no homepage or repo — prefer skills with clear authorship. 2) Misuse potential: the documentation includes examples (e.g., intext:password, filetype:txt, cache:) that make it easy to craft OSINT queries to find leaked credentials or other sensitive info; think about whether you want an agent with autonomous web_fetch ability performing such queries. 3) If you proceed, limit autonomous invocation or monitor web_fetch outputs, avoid supplying sensitive or private keywords to the skill, and prefer installing only from verified sources or repositories with traceable authorship. If you want higher assurance, ask the publisher for a source repo or signed release or choose a similar skill from a known maintainer.

Like a lobster shell, security has layers — review code before you run it.

latestvk978zdgn9s0afkazc7rn2zeb1d80xxsf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments