ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workspace Main

v1.0.0

Multi search engine integration with 17 engines (8 CN + 9 Global). Supports advanced search operators, time filters, site search, privacy engines, and Wolfra...

0· 347·2 current·2 all-time
by@sonyrw
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md claims a lightweight 'multi-search-engine' instruction-only skill (no binaries, no env vars). The repository actually contains a substantial Node.js project (Capability Evolver) with many scripts, a daemon loop, git integration, hooks, and validation logic. The declared requirements (none) conflict with the obvious runtime needs (Node.js >=18, Git) described in README and some scripts. This is an incoherence: much of the codebase does not belong to the simple 'multi-search' purpose.
!
Instruction Scope
The runtime SKILL.md only shows web_fetch usage for search URLs. However, other documents (AGENTS.md, README, scripts) instruct agents to read workspace files (SOUL.md, USER.md, memory files), load .env, run lifecycle loops, and may execute validation commands. Index.js and solidify logic can run commands and spawn processes. The SKILL.md does not disclose these broader behaviors, so the agent could end up reading local sensitive files or executing code not implied by the public skill description.
!
Install Mechanism
No install spec is declared (instruction-only), which is low risk by itself, but the repo includes 75+ code files requiring Node/Git to run. There is no declared required binary list though README and scripts assume Node and Git. There are no external downloads, which is good, but the mismatch between 'no install' and a non-trivial codebase is inconsistent and risky if the platform loads/executes these files automatically.
!
Credentials
SKILL.md claims 'No API keys required' and the registry metadata lists no required env vars, but README and code reference many optional and required env vars for functionality (EVOLVE_STRATEGY, PUBLIC_REMOTE/PUBLIC_REPO/PUBLIC_OUT_DIR, GITHUB_TOKEN / GH_TOKEN for auto-issue reporting, EVOLVER_* settings). index.js loads .env via dotenv. The code can therefore access secrets if present — requesting no env vars in metadata is misleading.
Persistence & Privilege
always: false and user-invocable are standard. However the code includes a daemon/loop mode (node index.js --loop), singleton pid files, self-restart behavior (spawn), lifecycle scripts, and hooks that inject files at agent bootstrap. If invoked (or if the runtime auto-executes package scripts), the skill can create background processes and write files. This is not flagged as 'always: true' but it does have persistence capabilities if run.
What to consider before installing
Don't install blindly. The SKILL.md describes only a simple web_fetch multi-search helper, but the package contains a large evolver engine that reads .env, talks to Git/GitHub, can run node/npm commands, spawn processes, and read workspace memory files. Before installing: (1) ask the publisher for provenance and why the evolver code is bundled with a search skill; (2) review or sandbox the code—especially index.js, src/gep/solidify, and any scripts that call child_process or start networking/heartbeat; (3) ensure no sensitive .env or tokens are present in the environment where you install it; (4) if you must try it, run in an isolated container or restricted environment with Node and Git available but no credentials, and do not run daemon/--loop modes until you audit behavior. If you are not comfortable reviewing Node code, prefer not to install this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773ab2v3pv69jtzvvsam71hn82g73j
347downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@sonyrw
latest
Download

Multi Search Engine v2.0.1

Integration of 17 search engines for web crawling without API keys.

Search Engines

Domestic (8)

  • Baidu: https://www.baidu.com/s?wd={keyword}
  • Bing CN: https://cn.bing.com/search?q={keyword}&ensearch=0
  • Bing INT: https://cn.bing.com/search?q={keyword}&ensearch=1
  • 360: https://www.so.com/s?q={keyword}
  • Sogou: https://sogou.com/web?query={keyword}
  • WeChat: https://wx.sogou.com/weixin?type=2&query={keyword}
  • Toutiao: https://so.toutiao.com/search?keyword={keyword}
  • Jisilu: https://www.jisilu.cn/explore/?keyword={keyword}

International (9)

  • Google: https://www.google.com/search?q={keyword}
  • Google HK: https://www.google.com.hk/search?q={keyword}
  • DuckDuckGo: https://duckduckgo.com/html/?q={keyword}
  • Yahoo: https://search.yahoo.com/search?p={keyword}
  • Startpage: https://www.startpage.com/sp/search?query={keyword}
  • Brave: https://search.brave.com/search?q={keyword}
  • Ecosia: https://www.ecosia.org/search?q={keyword}
  • Qwant: https://www.qwant.com/?q={keyword}
  • WolframAlpha: https://www.wolframalpha.com/input?i={keyword}

Quick Examples

// Basic search
web_fetch({"url": "https://www.google.com/search?q=python+tutorial"})

// Site-specific
web_fetch({"url": "https://www.google.com/search?q=site:github.com+react"})

// File type
web_fetch({"url": "https://www.google.com/search?q=machine+learning+filetype:pdf"})

// Time filter (past week)
web_fetch({"url": "https://www.google.com/search?q=ai+news&tbs=qdr:w"})

// Privacy search
web_fetch({"url": "https://duckduckgo.com/html/?q=privacy+tools"})

// DuckDuckGo Bangs
web_fetch({"url": "https://duckduckgo.com/html/?q=!gh+tensorflow"})

// Knowledge calculation
web_fetch({"url": "https://www.wolframalpha.com/input?i=100+USD+to+CNY"})

Advanced Operators

OperatorExampleDescription
site:site:github.com pythonSearch within site
filetype:filetype:pdf reportSpecific file type
"""machine learning"Exact match
-python -snakeExclude term
ORcat OR dogEither term

Time Filters

ParameterDescription
tbs=qdr:hPast hour
tbs=qdr:dPast day
tbs=qdr:wPast week
tbs=qdr:mPast month
tbs=qdr:yPast year

Privacy Engines

  • DuckDuckGo: No tracking
  • Startpage: Google results + privacy
  • Brave: Independent index
  • Qwant: EU GDPR compliant

Bangs Shortcuts (DuckDuckGo)

BangDestination
!gGoogle
!ghGitHub
!soStack Overflow
!wWikipedia
!ytYouTube

WolframAlpha Queries

  • Math: integrate x^2 dx
  • Conversion: 100 USD to CNY
  • Stocks: AAPL stock
  • Weather: weather in Beijing

Documentation

  • references/advanced-search.md - Domestic search guide
  • references/international-search.md - International search guide
  • CHANGELOG.md - Version history

License

MIT

Comments

Loading comments...