Aliyun Web Search

The skill is classified as suspicious due to a lack of input sanitization in `scripts/search.sh`. The `$QUERY` variable, which is user-controlled input, is directly embedded into the JSON payload without proper escaping. While this does not appear to lead to local shell injection due to how the shell handles heredocs and quoted variables, it represents a JSON injection vulnerability against the remote Aliyun API, potentially allowing a malicious user to craft queries that break the JSON structure or inject unintended fields. The `SKILL.md` is well-written and does not contain prompt injection attempts.