Zhipu Z.ai web search
v1.0.0Use ZHIPU AI's Web Search API to search the web (optimized for Chinese, supports 4 engines). Use when user asks to search, especially for Chinese content.
⭐ 0· 312·5 current·5 all-time
by@tyduss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a web-search integration for Zhipu (open.bigmodel.cn) and the included script clearly requires an API key to call that endpoint, which is coherent with the description. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts expect ZAI_API_KEY (and config.json). That metadata omission is an inconsistency that can mislead users about required secrets.
Instruction Scope
Runtime instructions and the CLI script limit activity to making HTTPS requests to open.bigmodel.cn and formatting results (expected). However SKILL.md instructs the agent to "Check for Other Search Skills" using Glob (i.e., scan the local skills folder) and to offer replacing existing search tools — this implies reading other skill files/configs. Reading other skills' directories is scope creep compared with a simple search integration and could expose metadata about other installed skills.
Install Mechanism
There is no install spec and no remote downloads; the skill is delivered with a local Node.js script and docs. That is low install risk (nothing is fetched from arbitrary URLs).
Credentials
The code and documentation require a sensitive API key (ZAI_API_KEY / apiKey in config.json), but the skill metadata does not declare this. The docs recommend several storage locations including the skill folder ("easy to share") which is insecure — storing secrets in the skill folder can leak keys if the folder is shared/backed up. The script only uses that single API key and user config files (~/.config), so the number of credentials requested is appropriate, but how the docs recommend storing it is risky and the missing metadata declaration is misleading.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system-wide settings. It only reads config files in well-known locations (skill folder and ~/.config) and environment variables. Autonomous invocation is allowed (platform default) but is not combined with other high-risk privileges.
What to consider before installing
This skill appears to be a legitimate Zhipu web-search integration, but take these precautions before installing: 1) The package metadata did NOT declare the required API key even though the script needs ZAI_API_KEY — expect to provide a Zhipu API key. 2) Do NOT store your API key in the skill folder if you care about secrecy; prefer an environment variable or a user config file with limited file permissions (e.g., ~/.config/zai-web-search/config.json set to 600). 3) Be aware the SKILL.md suggests scanning your other skills (via Glob) to recommend replacing them — that will read local skill files/configs; ensure you are comfortable with that. 4) Verify the endpoint (open.bigmodel.cn/api/paas/v4/web_search) is the official Zhipu API and that you trust the skill publisher (owner unknown). 5) Consider asking the publisher to update the registry metadata to list ZAI_API_KEY as a required credential and to remove guidance that encourages putting secrets in shareable locations. If you want, I can point out the exact lines in the code/docs to change or suggest a safer config flow.Like a lobster shell, security has layers — review code before you run it.
latestvk974z0d61jbbjfha7awj7nfstn828kgk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.