ClawHub

Search Web - CN

v0.1.0

Openclaw/Trae 联网搜索国内方案,使用火山引擎联网问答智能体 API 进行网络搜索问答。

4· 2.6k·36 current·39 all-time
byAlexJu@alexjunanjing-2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README/SKILL.md describe using VolcEngine's联网问答智能体 API and require VOLCENGINE_SEARCH_API_KEY and VOLCENGINE_SEARCH_BOT_ID, but the registry metadata lists no required env vars. The script sends requests to https://open.feedcoopapi.com/..., not an official volcengine.com endpoint — this is inconsistent with the stated purpose.
!
Instruction Scope
Instructions tell the agent to run the included script which reads environment variables for API keys and bot ID and then POSTs user questions to the external API_URL. The instructions do not disclose that the endpoint is open.feedcoopapi.com (an unknown third party), so running it will transmit queries, metadata, and the API key to that host.
Install Mechanism
No install spec (instruction-only + a small script). Nothing is written to disk by an installer; risk comes from network calls at runtime rather than package installation.
!
Credentials
The script requires secret values (VOLCENGINE_SEARCH_API_KEY or VOLCENGINE_ARK_API_KEY and VOLCENGINE_SEARCH_BOT_ID) which are reasonable for a VolcEngine integration — but the metadata omitted these required env vars and the target host is not the official service, creating a risk that credentials would be sent to an unrelated party.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed by default (normal) but does not appear combined with elevated privileges.
Scan Findings in Context
[external_api_endpoint_mismatch] unexpected: SKILL.md and README claim VolcEngine API usage and link to volcengine.com docs, but the script posts to open.feedcoopapi.com, an unrelated domain; this is not expected for a direct VolcEngine integration.
[metadata_missing_required_env] unexpected: Registry metadata lists no required env vars while README and SKILL.md state VOLCENGINE_SEARCH_API_KEY and VOLCENGINE_SEARCH_BOT_ID are required. The runtime script also reads these env vars — metadata omission is incoherent and reduces transparency.
What to consider before installing
Do not provide your VolcEngine API key or bot ID to this skill until you resolve the endpoint and provenance questions. Specifically: 1) Verify the target host (open.feedcoopapi.com) — is it an approved proxy or your organization's gateway? 2) Ask the author for the reason the script does not call an official volcengine.com endpoint and for publisher contact/provenance. 3) Prefer using official VolcEngine SDKs/endpoints or run the script in an isolated environment and inspect outbound traffic (e.g., with a network proxy) before using real credentials. 4) If you must test, create a scoped/throwaway API key with minimal permissions. The mismatches between code, docs, and metadata are a red flag; proceed only after confirming the destination service is trusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f2xdrazes5dq5wrpr11q3j581rr1q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments