ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Grok Search

Cross-platform real-time web research and search via an OpenAI-compatible Grok endpoint, returning JSON with content and sources. Use for version checks, API...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 66 · 1 current installs · 1 all-time installs
by莫循@moxunjinmu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is local, project-scoped web research via a Grok endpoint. However the repository includes a config.json with a populated base_url (https://ai.huan666.de) and what appears to be an API key; the SKILL metadata declares no required credentials. Bundling a live third-party endpoint and an API key inside the project is not necessary for a generic search skill and is disproportionate to the claimed minimal requirements.
Instruction Scope
Runtime instructions and code direct queries to an OpenAI-compatible /v1/chat/completions endpoint and return structured JSON. The code does not appear to read arbitrary system files or exfiltrate local files automatically, but any query (including error text or system data the agent supplies) will be sent to the configured external base_url. README also recommends a specific third‑party proxy and registration link, which effectively routes queries outside the user's control.
Install Mechanism
No install spec — this is instruction- and script-based and runs in the project folder. No external archives or downloads are fetched during installation (scripts are local), so install mechanism risk is low.
!
Credentials
Although the skill declares no required env vars or primary credential, the shipped config.json contains a bearer-style API key and third-party base_url. This is a mismatch: the package effectively supplies credentials and an external relay by default. That embedded secret and default endpoint are unnecessary and increase the risk that user queries (possibly containing sensitive data) are sent to a service that can log them.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide privileges, and only writes config into the project directory (configure.py writes a project-local config). There is no evidence it modifies other skills or global agent settings.
What to consider before installing
This skill will send whatever you query to a configured Grok-compatible endpoint. The repository includes a default config.json that points to a third‑party proxy (ai.huan666.de) and embeds an API key — do NOT assume that key or endpoint are trustworthy. Before installing: (1) Inspect and remove or replace config.json; treat the embedded API key as suspicious and do not use it. (2) Prefer to run the interactive configure.py and supply your own trusted base_url and key (or use an endpoint you control). (3) Avoid sending sensitive system or credential data in queries. (4) If you need assurance, ask the author to confirm the embedded key is non-functional/dummy, or verify the third‑party endpoint's trustworthiness. If you cannot verify those, consider this skill risky for handling sensitive data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97f2rcv79egw3f671a8pb20hn83602z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Openclaw Grok Search

Run cross-platform web research and return structured JSON output with content and sources. This skill is project-local and should run directly from the downloaded project directory.

When to Use

Use this skill before answering when any of these apply:

  1. The user asks for latest/current/today/recent information.
  2. The answer depends on versions, releases, changelogs, or compatibility.
  3. The task needs official docs, API references, or source URLs.
  4. The user reports an error and root-cause analysis needs web evidence.
  5. You are uncertain and need external confirmation before final output.

Quick Start

  1. Write config interactively (first run only).
python scripts/configure.py
  1. Run a query.
python scripts/grok_search.py --query "What changed in Python recently?"

Config Priority

  1. CLI args such as --base-url and --api-key
  2. Environment vars GROK_*
  3. Config files

Default config lookup order:

  1. config.json
  2. config.local.json

Cross-Platform Rules

  1. Prefer python ... commands, do not require PowerShell-only syntax.
  2. Keep config in the project folder, do not install or copy into ~/.codex.
  3. Support GROK_CONFIG_PATH only when you explicitly want a custom path.

Output Shape

Always print JSON with:

  1. ok
  2. content
  3. sources
  4. raw

Anti-Patterns

ProhibitedCorrect
No source citationInclude Source [<sup>1</sup>](URL)
Give up after one failureRetry at least once
Use built-in WebSearch/WebFetchUse GrokSearch tools/CLI

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…