ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ollama Web Search CLI

v1.0.5

使用 Ollama Web Search API 进行网络搜索和网页抓取

0· 88·0 current·0 all-time
bySunnyDoy@sunnydou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (Ollama web search/fetch) matches what the script and SKILL.md do: POST to Ollama web_search and web_fetch endpoints. However the registry metadata lists no required env vars/credentials while SKILL.md and the bundled script both require OLLAMA_API_KEY — this mismatch is unexpected.
Instruction Scope
Runtime instructions and the shell script limit themselves to constructing JSON, calling Ollama API endpoints with curl, parsing JSON with python3, and printing results. The script validates inputs (length, URL scheme), redacts the API key in error messages, and uses a temp dir; it does not attempt to read unrelated files or other environment variables.
Install Mechanism
No install spec is provided (instruction-only packaging) and the included shell script is executed directly. No downloads from third-party URLs or archive extraction are performed by the skill itself.
!
Credentials
The SKILL.md and the script explicitly require OLLAMA_API_KEY (used as an Authorization: Bearer header). The registry-level metadata in the provided package claims no required environment variables or primary credential — this inconsistency could lead to the platform failing to surface the secret requirement or to users being surprised when a credential is requested. Otherwise, the number and type of env vars requested (a single API key) is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true, has no special OS or persistent privileges, and does not modify other skills or system-wide settings. It runs as an on-demand CLI invocation, which is appropriate.
What to consider before installing
What to consider before installing: - The script and SKILL.md require OLLAMA_API_KEY, but the registry metadata lists no required env vars — verify with the skill author or registry whether the package should declare that secret requirement. Do not rely on registry metadata alone. - Confirm the endpoints (https://ollama.com/api/web_search and /api/web_fetch) are legitimate for your account; test with a low-privilege or ephemeral key first and avoid using high-privilege credentials. - The package source/homepage is missing/unknown. Prefer skills that publish a maintainer homepage or repository so you can audit updates and provenance. - Because this skill will send requested URLs and queries to an external API, do not use it with sensitive URLs or confidential queries unless you trust the Ollama account and have confirmed the privacy/retention policy. - If you proceed: supply the minimal-scoped API key, monitor its usage, and rotate the key after testing. If the registry metadata is updated to explicitly declare OLLAMA_API_KEY and the skill source is verified, this would reduce the concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97argy5ydskd96nbwnfm3bsah83n62w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
OLLAMA_API_KEYrequiredOllama API Key for web search and fetch endpoints

Comments