ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

free-web-search-js

v1.0.0

Playwright驱动的联网搜索工具,自动抓取前三条网页内容,无需API Key,支持国内Bing和海外DDG搜索。

0· 61·0 current·0 all-time
by@ucsdzehualiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ucsdzehualiu/free-web-search-js.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "free-web-search-js" (ucsdzehualiu/free-web-search-js) from ClawHub.
Skill page: https://clawhub.ai/ucsdzehualiu/free-web-search-js
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install free-web-search-js

ClawHub CLI

Package manager switcher

npx clawhub@latest install free-web-search-js
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Playwright-driven search + fetch) matches the included files (search.js, fetch.js, browser-daemon.js, setup script, package.json). Dependencies and the need to download Chromium are expected for this functionality. No unrelated credentials or system-level config paths are requested.
Instruction Scope
SKILL.md and the scripts instruct the agent to perform network calls (search engines and IP probe services), fetch and parse web pages, and optionally run a persistent Chromium daemon. The instructions and code operate within the skill directory (writes .browser-endpoint) and do not attempt to read unrelated system files. Note: runtime helper functions will auto-run npm install for missing dependencies (execSync), and the tool will contact external IP detection services and search engines as part of normal operation.
Install Mechanism
No platform-level install spec is declared, but SKILL.md includes manual setup steps (npm install, npx playwright install chromium) and provides a setup.sh. The code will attempt to install missing npm packages at runtime via child_process.execSync if dependencies are absent — this is convenient but means the skill can fetch and install packages from npm when first run.
Credentials
The skill declares no required environment variables or credentials and only reads standard environment locations (HOME, LOCALAPPDATA) to find Playwright caches; those uses are consistent with the stated purpose. It does not request tokens/secrets or unusual system config paths.
Persistence & Privilege
always:false and model invocation not disabled (normal). The skill can start a long-running Chromium daemon and create a .browser-endpoint file in its own directory to enable browser reuse; this is a self-contained persistence mechanism but does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it runs a Node.js program that queries public IP services and search engines, fetches and parses top result pages, and (optionally) launches/reuses a headful Chromium via Playwright. Before installing, consider: 1) it will download/run Playwright and a ~150MB Chromium browser and may run npm install (network downloads) if dependencies are missing — run in a controlled environment (container/VM) if you have security concerns; 2) the skill will make outbound network requests to multiple third-party services (ipip, cip.cc, ipinfo, ipapi, Bing, DDG, target pages) as part of normal operation; 3) it writes a .browser-endpoint file in the skill directory and can spawn a background process (browser daemon) — stop it when not needed; 4) the source/homepage is unknown, so if you require provenance, review the code locally before running or run it in an isolated environment. If you accept those behaviors, the profile is coherent and consistent with its description.
scripts/_batch_test.js:24
Shell command execution detected (child_process).
scripts/_batch_test2.js:25
Shell command execution detected (child_process).
scripts/_bench.js:3
Shell command execution detected (child_process).
scripts/check-env.js:20
Shell command execution detected (child_process).
scripts/fetch.js:63
Shell command execution detected (child_process).
scripts/search.js:32
Shell command execution detected (child_process).
!
scripts/browser-daemon.js:22
File read combined with network send (possible exfiltration).
!
scripts/fetch.js:30
File read combined with network send (possible exfiltration).
!
scripts/search.js:154
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hbva26vw1ct8grjvvc367d85g78r
61downloads
0stars
1versions
Updated 3d ago
v1.0.0
MIT-0
@ucsdzehualiu
latest
Download

SKILL.md

name: free-web-search-js description: Playwright 联网搜索,自动抓取内容,零 API Key version: 28.0.0 trigger_keywords:

  • 搜索
  • 查一下
  • 找一下
  • 最新消息
  • 新闻
  • 教程
  • 是什么
  • search
  • find tools:
  • name: search description: 搜索+自动抓取,国内Bing Playwright,海外DDG HTTP script: scripts/search.js parameters: query: type: string description: "搜索关键词" required: true max: type: integer description: "最大结果数,默认10,上限30" required: false region: type: string description: "区域: auto/cn/intl,默认auto按IP检测" required: false
  • name: fetch description: 给定URL抓取正文,HTTP优先失败自动headed兜底 script: scripts/fetch.js parameters: urls: type: string description: "要抓取的URL,多个用空格分隔" required: true max-len: type: integer description: "单页最大字符数,默认12000" required: false

free-web-search-js

一步式:search → Playwright 搜 → 自动抓内容 → 返回

架构

国内:
  Playwright 打开 Bing → 首页拿 cookie → 搜索框提交
  → 自动抓取 top 3 页面内容
  延迟:首次 3~6s(启动浏览器),后续复用更快

海外:
  纯 HTTP → DDG HTML 解析
  → 自动抓取 top 3 页面内容
  延迟:几百ms~1s

搜索引擎

引擎协议区域说明
Bing CNPlaywright 搜索框提交国内先访问首页拿 cookie,再搜索框输入提交
搜狗纯 HTTP国内--engine=sogou 可选,⚠ 无 cookie 易被反爬拦截,结果不稳定
DDG HTML Lite纯 HTTP海外html.duckduckgo.com

策略

区域搜索抓取
国内Bing CN (Playwright)自动抓前 3 条
海外DDG HTML自动抓前 3 条

IP 怎么判断

每次搜索时自动检测,三轮探测并行,谁先成功用谁:

轮次探测服务逻辑
第1轮myip.ipip.net / cip.cc国内可达优先
第2轮ipinfo.io / ipapi.co国际探测
第3轮试连 cn.bing.com能通大概率国内
兜底默认国内

出口 IP 走代理时可能误判,用 --region=cn--region=intl 手动指定。

去重

智能去重:域名 + 路径主干(忽略 www/m 子域、tracking 参数、尾部斜杠、.html 后缀)。

Bing 跳转 URL(bing.com/ck/)自动解码为直链。

抓取模式

搜索后自动抓取 top N 条 URL 内容(默认 3 条)。

层级方式速度说明
第1层轻量 HTTP + cheerio⚡ 秒出不启动浏览器
第2层Playwright headed🟡 慢完整浏览器,支持 JS 渲染

第1层增强:

  • JSON API 响应:自动检测 Content-Type 并提取结构化内容
  • JSON-LD:提取 <script type="application/ld+json"> 中的 articleBody/description
  • NEXT_DATA:提取 Next.js 嵌入数据
  • meta 标签:og:description / description 兜底
  • GBK 编码:自动检测并转换

安装

前置依赖(全部必装):

依赖说明大小/耗时
Node.js >= 18运行时
cheerioHTML 解析小,秒装
commanderCLI 参数解析小,秒装
iconv-liteGBK 编码转换小,秒装
playwright浏览器自动化(Bing 搜索 + 抓取兜底)~50MB
ChromiumPlaywright 专用浏览器~150MB,需几分钟下载

安装脚本自动检测网络区域,国内使用镜像源加速:

# Windows
powershell -File scripts/setup.ps1

# Linux/macOS
bash scripts/setup.sh

国内镜像:

  • npm: https://registry.npmmirror.com
  • Playwright/Chromium: https://npmmirror.com/mirrors/playwright

手动安装:

cd skills/free-web-search-js
npm install
npx playwright install chromium    # ~150MB,需几分钟

验证环境:node scripts/check-env.js

卸载:node scripts/uninstall.js

性能优化:浏览器守护进程

搜索和抓取可复用浏览器守护进程,提速约 70%

node scripts/browser-daemon.js &       # 启动
node scripts/browser-daemon.js --status # 状态
node scripts/browser-daemon.js --stop   # 停止

守护进程空闲 10 分钟自动退出。

用法

# 搜索(搜 + 自动抓前3条内容)
node scripts/search.js "白银价格"
node scripts/search.js "how to deploy docker" --max=5
node scripts/search.js "xxx" --region=cn
node scripts/search.js "xxx" --fetch=5          # 抓前5条
node scripts/search.js "xxx" --no-fetch         # 只搜不抓

# 单独抓取(给定 URL)
node scripts/fetch.js "https://example.com/page1" "https://example.com/page2"

已知限制

  • 国内首次搜索较慢:需启动 Chromium(3~6s),后续复用更快
  • Bing CN 即时答案不返回:天气、计算器等即时卡片不走 li.b_algo,搜索结果为 0
  • 搜狗 HTTP 不稳定:无 cookie 纯请求易被反爬拦截,结果可能为空(--engine=sogou 慎用)
  • 部分站点 HTTP 抓不到:需要 JS 渲染的页面——HTTP 失败会自动 headed 重试
  • 部分站点海外不可达:国内专属站点从海外访问可能超时
  • 代理干扰 IP 检测:出口 IP 走代理时可能误判区域,用 --region=cn/intl 手动指定
  • 海外引擎国内不可达:DDG 在国内被墙,国内策略不使用

Comments

Loading comments...