ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skywork Search

Search the web for real-time information using the Skywork web search API. Use this skill whenever the user needs up-to-date information from the internet —...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 25 · 0 current installs · 0 all-time installs
bySkywork AI@gxcun17
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the code: the scripts call a Skywork search API and implement an auth flow. However the registry metadata lists no environment variables required while the code expects/uses environment variables (SKYBOT_TOKEN, SKYWORK_GATEWAY_URL, SKYWORK_API_BASE, SKYWORK_WEB_BASE). The ability to override API and login endpoints via env vars is a capability that should have been declared and documented in metadata.
Instruction Scope
SKILL.md instructs the agent to run the provided auth and search scripts, read the resulting files, and always surface any printed [LOGIN_URL] to the user. The scripts only access the network, write a token to ~/.skywork_token, and write temporary result files; they don't read arbitrary user files. Still, the instruction to immediately display any login URL (without domain verification) and the auth script's behavior of opening a browser and polling for tokens expands the agent's interaction surface and creates phishing-like risks if endpoints were tampered with.
Install Mechanism
No install steps or external downloads are present; this is instruction-plus-local-scripts only, so nothing is fetched or installed at runtime by the skill beyond running the bundled Python code.
!
Credentials
The skill requires a Skywork token (SKYBOT_TOKEN or a cached ~/.skywork_token) which is appropriate for an API client, but these credentials are not declared in the registry metadata. More importantly, environment variables can override API and login endpoints (SKYWORK_API_BASE, SKYWORK_WEB_BASE, SKYWORK_GATEWAY_URL). If an attacker or misconfiguration sets those env vars, the skill could send tokens to an arbitrary endpoint. The token is persisted to a global home path (~/.skywork_token), making it available to other processes and skills on the same account.
Persistence & Privilege
The skill writes a persistent token file to the user's home (~/.skywork_token) and writes temporary search results to a temp directory. It does not request always:true or modify other skills. Persistence is expected for an auth flow but it is a durable side-effect the user should be aware of.
What to consider before installing
This skill appears to implement a legitimate web-search integration, but review and caution are advised before installing: - Verify the source/trustworthiness: the package source is 'unknown' and no homepage is provided. Prefer skills whose owners and code provenance you trust. - Check and protect credentials: the script looks for SKYBOT_TOKEN and saves tokens to ~/.skywork_token. If you install, ensure that file contains only tokens you expect and remove it when you no longer trust the skill. - Beware of endpoint overrides: the code honors SKYWORK_API_BASE, SKYWORK_WEB_BASE, and SKYWORK_GATEWAY_URL environment variables. Ensure these are not set to untrusted domains in your environment (an attacker-controlled override could capture tokens). - Treat login URLs as sensitive: the auth script prints a [LOGIN_URL] and asks the agent to surface it to the user. Confirm the URL domain (should match skywork.ai / api.skywork.ai) before visiting to avoid phishing. - Run in isolation if possible: consider running the skill in a sandboxed or ephemeral environment (separate user account or container) so the ~/.skywork_token file and any network activity are isolated. - Inspect and test manually: if you can, review the included scripts locally and run the auth flow manually to confirm domains and token behavior before enabling autonomous invocations. If you can't verify the owner or ensure there are no malicious env overrides, avoid installing or run it in a tightly controlled environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97187vd6rh7mtz999acsm1cph830j0c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Web Search Skill

Search the web for real-time information via the Skywork search API. This skill lets you run up to 3 queries in a single invocation and returns structured results with source URLs and content snippets.

When to use

  • The user asks you to research a topic or find current information
  • You need up-to-date facts, statistics, or news to answer a question
  • Another task (writing a report, creating a PPT, drafting a document) needs web research as a preliminary step
  • The user explicitly asks to search or look something up

Authentication (Required First)

Before using this skill, authentication must be completed. Run the auth script first:

# Authenticate: checks env token / cached token / browser login
python3 <skill-dir>/scripts/skywork_auth.py || exit 1

Token priority:

  1. Environment variable SKYBOT_TOKEN → if set, use directly
  2. Cached token file ~/.skywork_token → validate via API, if valid, use it
  3. No valid token → opens browser for login, polls until complete, saves token

IMPORTANT - Login URL handling: If script output contains a line starting with [LOGIN_URL], you MUST immediately send that URL to the user in a clickable message (e.g. "Please open this link to log in: <url>"). The user may be in an environment where the browser cannot open automatically, so always surface the login URL.

How to use

Run the bundled script from this skill's scripts/ directory:

python3 <skill-path>/scripts/web_search.py "query1" ["query2"] ["query3"]
  • Pass 1–3 search queries as positional arguments
  • Results are saved to individual text files in a temporary directory
  • The script prints the file paths to stdout so you can read them

Crafting good queries

Search quality depends heavily on query phrasing. A few tips:

  • Be specific: "Tesla Q4 2025 revenue" works better than "Tesla financials"
  • Use natural language: The API handles full questions well — "What is the current population of Tokyo?" is fine
  • Split broad topics: If the user wants a comprehensive overview, break it into 2–3 focused queries rather than one vague one
  • Include time context when relevant: "best Python web frameworks 2026" rather than just "best Python web frameworks"

Reading results

After running the script, read the output files. Each file contains:

query: <the original query>

[result-1] <source URL>
<content snippet>

[result-2] <source URL>
<content snippet>
...

Synthesize the results into a clear answer for the user. Always cite sources when presenting factual information — include the URLs from the results so the user can verify.

Example workflow

User asks: "What are the latest developments in quantum computing?"

  1. Run the search with focused queries: 
    python3 <skill-path>/scripts/web_search.py \
  "quantum computing breakthroughs 2026" \
  "quantum computing industry news latest"
  2. Read the result files
  3. Synthesize findings into a clear, sourced summary for the user

Limitations

  • Maximum 3 queries per invocation (the script caps it)
  • Each query has a 30-second timeout
  • Results depend on the Skywork search API availability

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…