Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finder Local Search
v1.0.1当需要搜索或推荐 TikTok、YouTube、Instagram 红人时使用,通过 Finder 获取候选红人。
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Finder local search for TikTok/YouTube/Instagram creators) matches the required actions: calling Finder APIs at https://finder.optell.com, reading/writing a per-user ~/.finder/config.json, and creating projects/searching. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to check for, create, read, and write the local config file (~/.finder/config.json) and to accept the user's API key pasted into the chat and write it directly to disk. It also instructs the agent to automatically perform API calls and create projects. While these actions are consistent with the skill's purpose, they expand the agent's authority to collect and persist secrets from chat and to perform filesystem and network operations without additional user confirmation — a privacy/security concern that should be surfaced to users.
Install Mechanism
No install spec or external downloads — instruction-only skill. Nothing will be written to disk by an installer. The runtime behavior (shell/python/curl snippets) is described in docs, but there is no packaged installer to evaluate.
Credentials
The skill declares no environment variables or credentials but implicitly requires a Finder API key. Requesting and storing that key in ~/.finder/config.json is proportionate to the described functionality. However, the instructions encourage users to paste the API key into the chat (which may be logged/retained by the platform) and instruct the agent to store it automatically — this increases risk beyond simply providing a single API key via a secure channel.
Persistence & Privilege
always:false (no forced global presence). The skill writes its own per-user config (~/.finder/config.json) and may create a directory and project via the Finder API — these are scoped to the user's files and account and are reasonable for this functionality. Note: the agent's ability to autonomously invoke the skill is the platform default; combined with the skill's file-write behavior it means the agent could attempt these actions without repeated prompts.
Assessment
This skill does what it claims (search Finder for creators) and needs your Finder API key to operate. Key points before installing or using it:
- Do NOT paste long-lived API keys or other secrets into chat unless you understand the platform's chat retention and trust it; the skill instructs the assistant to accept a pasted key and write it directly to ~/.finder/config.json. If you prefer, create that config file yourself instead of sharing the key in chat.
- The skill will read and write a local file (~/.finder/config.json) and may run curl/python/powershell commands if the agent environment allows execution. Be comfortable with the agent performing those filesystem and network actions.
- Verify you trust the endpoint (https://finder.optell.com) and the email address developer.optell@gmail.com used for quota issues.
- If you want tighter control: manually create ~/.finder/config.json with the API key, or provide a short-lived token and revoke it after use. If you have limited trust in automated behavior, avoid pasting credentials in chat and require explicit confirmation before the skill writes files or performs API calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97bbhsfyx081rxm7cnxww2qss83phem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.