ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

网络搜索助手

v1.0.0

使用 Serper API 进行实时互联网搜索(国内可访问,基于 Google Search)

0· 68·1 current·1 all-time
byflyingants@tom859174-sketch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Serper-based web search) align with the code and network endpoint (https://google.serper.dev/search). However, the bundle includes an embedded API key in web_search.py that is not declared in requires.env or documented as pre-provided; this is an unexpected direct credential inclusion even though it permits the stated capability.
!
Instruction Scope
SKILL.md tells the user to edit web_search.py to replace a placeholder API key and to install the 'requests' library. The code already contains a non-placeholder hard-coded SERPER_API_KEY value and does not use the requests library (it uses urllib). These inconsistencies mean the runtime instructions are inaccurate and may mislead users about who owns the API key and what dependencies are required.
Install Mechanism
No install spec is provided (instruction-only skill with a code file). Nothing is downloaded or written by an installer, which is the lower-risk option. The only required binary is python, which is appropriate for a Python script.
!
Credentials
No environment variables are required, but the script embeds an HTTP API key in source code (SERPER_API_KEY). Embedding a third-party API key in shipped code is disproportionate: it risks key leakage, abuse of someone else's quota, and provides no auditability for the user. A more appropriate design would declare the API key as a required env var or use the agent's secure config mechanism.
Persistence & Privilege
The skill does not request persistent/autonomous privileges beyond normal skill invocation (always:false). It does not modify other skills or system settings.
What to consider before installing
This skill will perform Serper Google-like searches and is otherwise straightforward, but two red flags deserve attention: (1) web_search.py contains a hard-coded Serper API key — using someone else's embedded key can expose you to quota limits, unexpected billing or abuse, and the owner may revoke it at any time. Replace it with your own key or, better, modify the script to read the key from a secure environment variable or OpenClaw secret store before use. (2) SKILL.md tells you to install the 'requests' package even though the script uses urllib; the docs are inaccurate. Before installing, verify and remove the embedded API key, confirm you understand and supply your own Serper API key, and consider editing the code to load credentials from an env var (e.g., SERPER_API_KEY) and to validate rate limits. If you do not want to expose your own API key to the skill, do not install or run it as-is.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ckqet3deaaccn6ka1f99fyd83bdfqopenclaw-skillvk97ckqet3deaaccn6ka1f99fyd83bdfqsearchvk97ckqet3deaaccn6ka1f99fyd83bdfqserpervk97ckqet3deaaccn6ka1f99fyd83bdfqwebvk97ckqet3deaaccn6ka1f99fyd83bdfq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython

Comments