ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Web Search Ultimate

v11.0.0

Universal Search-First Knowledge Acquisition Plugin for LLMs. Enables real-time web search and deep page browsing via MCP or CLI. Zero-cost, privacy-first, s...

0· 118·0 current·0 all-time
byDa Wei@wd041216-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions align: the skill tells agents to run search-web and browse-page and to prefer live web search. Declared supported integrations and required Python packages (beautifulsoup4, lxml, ddgs, mcp) are consistent with a web‑search/browsing tool.
Instruction Scope
The SKILL.md stays on task (search then optionally browse full pages) and does not ask the agent to read unrelated local files or transmit unrelated data. It does, however, instruct users to add an MCP server entry to claude_desktop_config.json (i.e., modify a local app config) and to install/run a local command (free-web-search-mcp) that would be provided by the external package — this expands the scope from purely in‑agent instructions to running a third‑party local service.
!
Install Mechanism
Although the registry lists no install spec, the SKILL.md explicitly instructs users to pip install the package from a GitHub repository (git+https://github.com/wd041216-bit/free-web-search-ultimate.git). Installing arbitrary code from an external GitHub repo (rather than a vetted package on a trusted index or a signed release) is a supply‑chain risk: the installed package will place a binary/command (free-web-search-mcp) on the system and may run services or arbitrary code.
Credentials
The skill requests no environment variables, no credentials, and no config paths in the registry metadata. The requested Python deps and mcp tooling are reasonable for a web‑search/browsing tool and are proportionate to the stated functionality.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation rules. The notable point is that the documentation directs installation of a local MCP server/command (free-web-search-mcp) which, once installed, could run a local service (listening ports/processes). Autonomous invocation combined with installing a third‑party local server increases risk if that server has broad privileges or network behavior.
What to consider before installing
This skill's behavior and instructions match its description, but it tells you to pip install code directly from an external GitHub repository and to run a local MCP command. Before installing: inspect the referenced GitHub repository (source code, recent commits, maintainer reputation), check whether the package is published on a trusted index (PyPI) or signed releases, and review what the free-web-search-mcp binary does (network access, ports opened, data logged/transmitted). If you decide to try it, run the install inside a sandboxed environment or container, limit network access, and avoid giving any credentials to the new service until you audit its code. If you do not trust the author or cannot audit the repo, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d27c2czt7bqn0e3kp7x0thh832yx3v11vk97d27c2czt7bqn0e3kp7x0thh832yx3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments