ClawHub

Zhipu Z.ai web search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Zhipu/Z.AI web-search skill, but users should understand that searches and an API key are sent to an external paid provider.

Install only if you want OpenClaw searches to use Zhipu/Z.AI. Use a dedicated API key, keep it out of git and screenshots, prefer a protected user config or environment variable, and do not search for secrets, private project data, or regulated personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs use of environment variables and API-key based configuration, but no explicit permissions or trust boundaries are declared in the skill metadata. That mismatch can cause the agent platform or user to underestimate the skill's access to secrets and external resources, increasing the chance of unintended secret handling or execution in contexts that would otherwise require consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quickstart explicitly instructs users to place a live API key into `config.json` but does not warn that this stores a secret in plaintext on disk, where it may be exposed through backups, accidental commits, local compromise, or permissive file permissions. In a developer tooling/agent skill context, this is more dangerous because users commonly work in shared repos or home directories and may copy, sync, or inspect configuration files routinely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly tells users to place a live API key in local config files and environment variables, but it does not warn that these are sensitive secrets that must be protected from disclosure, excluded from version control, and handled carefully in logs or shared screenshots. This can lead to accidental credential exposure through committed files, shell history, backups, or multi-user systems, especially because the documentation presents these storage methods as routine setup steps.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The top-level description says to use the skill whenever the user asks to search, especially for Chinese content, without requiring confirmation that third-party search is appropriate. Broad routing guidance can make the agent invoke this skill for common requests and transmit user prompts externally even when the user did not specifically consent to using ZHIPU's service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The 'When to Use' section overlaps heavily with generic search behavior and lacks meaningful constraints around sensitivity, consent, or data handling. In practice this increases the likelihood of over-invocation and unnecessary sharing of user queries with an external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description emphasizes search quality and engine support but does not clearly disclose that user search terms are sent to ZHIPU AI's external API. This omission weakens informed consent and can expose sensitive prompts, internal project names, or personal data to a third party without the user realizing it.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends the user's search query and optional domain/filter metadata to a third-party service at open.bigmodel.cn, but the normal CLI flow does not clearly disclose that user input leaves the local environment before transmission. This creates a real privacy risk because users may enter sensitive queries, credentials, internal project names, or regulated data under the assumption they are just using a local search helper.

External Transmission

Medium
Category
Data Exfiltration
Content
You can also call the API directly via curl:

```bash
curl -s https://open.bigmodel.cn/api/paas/v4/web_search \
  -H "Authorization: Bearer $ZAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
97% confidence
Finding
curl -s https://open.bigmodel.cn/api/paas/v4/web_search \ -H "Authorization: Bearer $ZAI_API_KEY" \ -H "Content-Type: application/json" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Get an API Key**: Visit [https://open.bigmodel.cn](https://open.bigmodel.cn) to register and get your API key

2. **Choose Configuration Method**:
   - Create `config.json` in this skill folder (recommended)
   - Set `ZAI_API_KEY` environment variable
   - Use user config at `~/.config/zai-web-search/config.json`
Confidence
86% confidence
Finding
Create `config.json` in this skill folder (recommended) - Set `ZAI_API_KEY` environment variable - Use user config at `~/.config/zai-web-search/config.json` 3. **Replace Other Search Skills** (

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal