Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Claw Search
v1.0.3提供免费通用 Web 搜索 API 服务,支持多后端兼容,无需 API Key,快速响应,适合 AI Agent 集成使用。
⭐ 0· 303·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims a lightweight, no-API-key search API, but the shipped code needs additional runtime components that are not declared: (1) Node code uses puppeteer/puppeteer-core and expects a Chromium binary at /usr/bin/chromium-browser; (2) a Python frontend (search-frontend/server.py) requires Flask, requests, BeautifulSoup, but Python deps are not documented; (3) server/search.js calls an external 'skillhub' CLI via execSync. These binaries/libraries are plausible for a scraping-based search service, but the skill metadata declared no required binaries or install steps — that mismatch is concerning.
Instruction Scope
The SKILL.md gives general deploy/run instructions only, but the runtime instructions in the code go beyond that surface: server/search.js executes `skillhub search "<query>"` (execSync) which runs a local binary with user-supplied input (risk of shell injection and requires 'skillhub' to exist). server-v2.js reads a hard-coded absolute path under /root/.openclaw/workspace/... to load data, indicating the code expects access to the agent's workspace filesystem. Multiple components perform web scraping (puppeteer, requests) — all of which are coherent with a search aggregator but the SKILL.md does not warn about required native/browser binaries or the local-exec behavior.
Install Mechanism
There is no install spec in registry metadata (instruction-only), but repository includes package.json and package-lock.json and expects npm install; package-lock entries resolve via a Tencent mirror (mirrors.tencentyun.com). Relying on npm install will pull many dependencies (puppeteer and its browser tooling are large). The absence of a declared install mechanism plus use of puppeteer and a non-default mirror are operational / supply-chain risks to review before installing.
Credentials
SKILL.md lists a small set of optional env vars (PORT, TAVILY_API_KEY, BRAVE_API_KEY) and the scripts reference CLAW_SEARCH_URL. There are no broad credentials requested. However, the code expects system binaries (chromium, skillhub) and reads/writes local files (/tmp/claw-search-stats.json, /root/.openclaw/...). Those filesystem accesses are not declared in metadata and may expose more of the host environment than the README implies.
Persistence & Privilege
Skill does not set always:true and does not request elevated platform privileges in the metadata. It does, however, contain server code that will run as a persistent service when deployed (docker-compose), which is expected for a search API but means it will run continuously and have filesystem/network access as shown in the code.
What to consider before installing
This skill is plausible as a search aggregator, but I recommend caution before installing or running it on any machine you care about:
- Review and mitigate shell-injection risk: server/search.js uses execSync with user-supplied query (executes `skillhub search "<query>"`). Treat queries as untrusted input and avoid executing them in a shell; prefer spawn with argument arrays or sanitize/escape inputs.
- Confirm required binaries and runtimes: the code expects Chromium at /usr/bin/chromium-browser, Node + npm (to install puppeteer), and the 'skillhub' CLI; a Python Flask stack appears too. These are not declared in metadata — install in an isolated environment (container) if you test.
- Audit third-party dependencies and sources: package-lock references a non-default npm mirror; if you plan to run npm install, consider pinning/inspecting packages and fetching from trusted registries.
- Watch filesystem access: server-v2.js reads an absolute path under /root/.openclaw/workspace/..., and the service writes /tmp/claw-search-stats.json. Ensure the service cannot access sensitive host files and run inside a sandbox (container with limited mounts) if installed.
- If you need the skill for agent usage, prefer self-hosting in an isolated container (no access to host secrets), or ask the author to: (a) declare required binaries/py deps, (b) remove direct exec of user-controlled strings or properly escape arguments, (c) avoid hard-coded absolute paths and document data locations.
Given the mismatches and the exploitable pattern (shell exec with unsanitized input), treat this skill as suspicious until the above issues are resolved or you perform an operational audit in a safe environment.server/search.js:16
Shell command execution detected (child_process).
scripts/search.mjs:7
Environment variable access combined with network send.
server/search.js:8
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972hpxdscpbtf6x3cabe7012h835znm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.