cpbox-web-search
v1.0.0USE FOR web search. Returns ranked results with snippets, URLs, thumbnails. Supports freshness filters, SafeSearch, Goggles for custom ranking, pagination. P...
⭐ 0· 86·0 current·0 all-time
byspringmint@sprintmint
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the instructions: the SKILL.md documents a web-search API (cpbox.io) with query params, pagination, SafeSearch, freshness, and custom ranking. Nothing in the instructions asks for unrelated credentials or capabilities.
Instruction Scope
Instructions stay focused on using the cpbox web-search API and the x402 payment flow. However, they (a) recommend calling npx/@springmint/x402-payment or the Go SDK which will fetch and execute remote code, (b) allow providing precise lat/long location headers (privacy-sensitive), and (c) include an 'enable_rich_callback' option that enables third-party callbacks — these options can transmit user data outside the agent if enabled. The SKILL.md does not instruct reading any unrelated local files or secrets, but it assumes a local wallet/signing capability.
Install Mechanism
The skill is instruction-only (no install spec or code files), which is low-risk. The guidance to use 'npx @springmint/x402-payment' or import the SDK is expected for a paid API, but npx will fetch and execute remote npm code at runtime — a potential source of risk if you haven't reviewed the package. The skill metadata did not declare 'npx' or a Node requirement, which is a mild mismatch but not serious.
Credentials
requires.env is empty and no credentials are declared, which aligns with the SKILL.md claim that wallets/keys remain local. That said, the payment flow requires signing (EIP-712) with a local wallet/private key; the skill assumes you have a wallet tool but does not request or document where signing occurs. Also optional headers (precise location) and enabling rich callbacks may expose sensitive data even though no secret env vars are required.
Persistence & Privilege
always is false, no install script or persistent config is declared, and the skill does not request system-wide changes or access to other skills' configs. It does not ask for autonomous always-on presence.
Assessment
This skill appears to be what it says (a paid web-search proxy). Before installing/using it: (1) Review the @springmint/x402-payment package (or x402-sdk-go) before using npx to ensure you trust that code, since npx will fetch and run remote code. (2) Do not paste or provide private keys; prefer using a local wallet signer or hardware wallet to produce the EIP-712 payment signature. (3) Be cautious with optional features: supplying exact lat/long or enabling rich 3rd‑party callbacks can leak sensitive location or content to external services. (4) If you need stronger assurance, ask the publisher for the package repository/maintainer details and a signed release or run the SDK code in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk9761n1rvxj067ak1b39dbyx2583f56p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.