ℹ
Purpose & Capability
The code and dependencies (axios/undici, cheerio, scripts for multi‑search and extract) are consistent with a web search/HTML extraction tool. However the metadata and docs contain contradictory claims: SKILL.md/README say “no install spec / install included scripts only / OpenClaw provides Node.js so no Python needed” while the bundle contains both a large node_modules tree, package.json, package-lock, Python scripts, and a venv folder. The package.json declares Node engine constraints (>=20.18.1) not asserted in SKILL.md. The mixture of Node and Python artifacts and contradictory README lines (e.g., English README claiming “Scripts run locally - No network calls (unless specified)” vs. the SKILL.md explicitly requiring outbound HTTPS) is inconsistent and should be clarified.
!
Instruction Scope
SKILL.md tells the agent to run included scripts and claims no file writes and explicit SSRF checks in extract.py. The package does include extract scripts, but the pre-scan detected prompt‑injection patterns (base64 block and unicode control chars) inside SKILL.md which could indicate an attempt to influence evaluators or instructions. Also some documentation statements contradict network/file behavior (English README downplays network calls). The instructions do not list any explicit exfil endpoints, but because the scripts perform web requests and the bundle includes both Node and Python implementations, you should inspect scripts/multi-search.* and scripts/extract.* to confirm the claimed SSRF protections and ensure no unexpected file reads/writes or outbound requests to unknown endpoints occur.
ℹ
Install Mechanism
The skill is marked as instruction‑only (no install spec), yet the bundle includes a full node_modules tree and a venv. There are no download URLs or installer steps beyond 'npm install' suggested in README. Having dependencies vendored in the package reduces network install risk but increases surface area to audit (many third‑party packages included). No remote binary downloads or short/obfuscated URLs were found in the provided manifest.
✓
Credentials
The skill does not require any declared environment variables; optional API keys (TAVILY, Baidu, Bing, Google) are supported and described. That is proportional to a multi‑engine search tool. The README recommends storing API keys locally or via environment variables — good practice. There are no unrelated secrets requested.
✓
Persistence & Privilege
The skill does not request 'always: true' and uses default autonomous invocation settings. It declares local config path (~/.openclaw/workspace/skills/search-pro/config/search-config.json) for optional API keys. There is no evidence it modifies other skills or system settings.
Scan Findings in Context
[pre-scan:base64-block] unexpected: A base64-style block was detected in SKILL.md content. A search/aggregation skill doesn't need opaque base64 blocks in its runtime instructions; this could be an attempt at prompt‑injection or hiding content to influence evaluators. Manual review of SKILL.md and any embedded strings is recommended.
[pre-scan:unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are often used to obfuscate or inject invisible instructions. Not expected in benign skill documentation; inspect the SKILL.md and the scripts for hidden or malicious directives.
What to consider before installing
What to check before installing:
- Inspect the actual scripts (scripts/multi-search.* and scripts/extract.*) before running. Confirm where HTTP requests are sent and that no unrecognized third‑party endpoints are called.
- Verify extract.py/js SSRF protections by reading the code that does IP/DNS checks; do not assume the comments are correct. Look for DNS resolution + address comparison logic and ensure it uses safe libraries and fails closed.
- Search the codebase for hardcoded remote endpoints, webhooks, or short URLs. If found, verify their purpose and ownership.
- The package includes a large vendor tree (node_modules) and a venv. That increases audit surface—prefer running in an isolated sandbox/container or ephemeral VM the first time.
- The SKILL.md contained suspicious patterns (base64/unicode control chars). Open the SKILL.md in a plain text editor and remove any hidden characters; confirm there are no hidden instructions or encoded payloads.
- Do not paste API keys into files until you confirm the storage path and behavior; prefer environment variables as advised (export TAVILY_API_KEY=...) and set file permissions (chmod 600) if storing locally.
- If you rely on this skill for sensitive environments, run it in a network‑restricted sandbox and monitor outbound traffic the first time it runs.
Why this is 'suspicious' not 'malicious': The code and dependencies align with the stated search/extraction purpose, and no obvious exfiltration code or download URLs were found in the manifest excerpt. However, contradictory documentation, vendor artifacts, and prompt‑injection patterns in the SKILL.md create ambiguity that requires human review before trusting the package or any secrets.
