Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Unifuncs Deep Research
v0.0.7Use UniFuncs Deep Research API to run in-depth research and generate long-form reports (10,000 words or more). Use this skill when users request deep researc...
⭐ 0· 1k·0 current·0 all-time
byUniFuncs@vinlic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: the three Python clients call api.unifuncs.com endpoints (create_task, chat/completions, query_task) and implement options for streaming, output length, domain allowlist/blacklist, etc. These requirements are consistent with a deep-research/reporting tool.
Instruction Scope
SKILL.md restricts runtime to running the provided Python scripts (allowed-tools: Bash(python3:*)) and enforces a mandatory second confirmation step before invocation, which is a positive safety measure. The scripts read an API key from UNIFUNCS_API_KEY, perform network requests to api.unifuncs.com, create/read temporary or user-specified stream files, and may spawn subprocesses (deep-research-report.py imports subprocess). The scripts do not appear to access other environment variables or unrelated system configuration, but they do write to arbitrary writable paths if the user supplies a --stream-file path; that could overwrite files if misused. The use of subprocess is present in the code base (truncated portion not visible) — this should be inspected to ensure it doesn't execute arbitrary uncontrolled commands.
Install Mechanism
No install spec (instruction-only with bundled scripts). Nothing is fetched from remote URLs during install; the risk surface is limited to executing the included Python scripts. This is lower-risk than arbitrary remote downloads, but executing bundled code still requires trust in the source.
Credentials
The SKILL.md and all three Python files require an API key via the environment variable UNIFUNCS_API_KEY. However, the registry metadata lists 'Required env vars: none' and 'Primary credential: none' — this is an inconsistency. Requesting a single service API key is reasonable for this skill's purpose, but the metadata omission is a coherence problem and could mislead users about required credentials.
Persistence & Privilege
The skill is not always:true and does not claim to persistently modify system or other skills' configuration. It writes temporary/stream files as part of streaming behavior, which is expected for long-running streaming outputs. No privileged system modifications are present in the visible code.
What to consider before installing
This skill appears to implement a legitimate UniFuncs API client for producing long research reports, but note these points before installing: (1) the code and SKILL.md require UNIFUNCS_API_KEY, but the registry metadata incorrectly lists no required env vars — supply only an API key you trust and expect to be used by this skill; (2) the scripts create/read stream files (temp or --stream-file) and will write to any writable path you supply — avoid pointing --stream-file at sensitive locations; (3) deep-research-report.py imports subprocess (the rest of that logic is truncated here) — review the full script to confirm it doesn't execute arbitrary shell commands with user-controlled input; (4) the skill contacts api.unifuncs.com and will send your query and options to that external service — do not send secrets or sensitive data to the skill; (5) the source/homepage are missing, so you should only install if you trust the provider or can audit the full scripts. If you want higher assurance, ask the publisher for a canonical homepage/repo and a clear update to the registry metadata to declare UNIFUNCS_API_KEY as a required credential, and request the full deep-research-report.py content be reviewed for subprocess usage.Like a lobster shell, security has layers — review code before you run it.
0.0.1vk978tawjdk069et0926v90bqbd80zy0xlatestvk9766gdj8jh5j22y50xv27zrqn83tp6c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.