Mysteel_InfoSearch
AdvisoryAudited by VirusTotal on Mar 24, 2026.
Overview
Type: OpenClaw Skill Name: mysteel-infosearch Version: 1.0.0 The skill is a legitimate tool for querying commodity industry information from the Mysteel API. The Python script `scripts/search.py` uses standard libraries to perform authenticated POST requests to a specific, relevant domain (mcp.mysteel.com) and contains no evidence of malicious execution, data exfiltration, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms may be visible to the Mysteel service, so sensitive business questions should not be submitted unless the user is comfortable sharing them with that provider.
The script posts the user-provided query text to an external Mysteel API endpoint. This is aligned with the stated search purpose and is not hidden, but users should understand that query text leaves the local environment.
API_URL = "https://mcp.mysteel.com/mcp/info/ai-search/search" ... "text": text
Use the skill only for queries appropriate to send to Mysteel, and avoid including confidential information in search text.
Anyone who can read the local api_key.md file may be able to use the Mysteel API key, and the registry metadata does not flag a primary credential requirement.
The script reads a local API key file and sends that value as the token header to Mysteel. This is expected for an authenticated API client, but it is credential handling that users should notice.
API_KEY_FILE = SKILL_DIR / "references" / "api_key.md" ... "token": api_key
Use a dedicated, least-privilege Mysteel API key, keep references/api_key.md private, do not commit it to shared repositories, and declare the credential requirement in metadata.