ClawHub

Bailian Search

v1.1.0

Real-time web search powered by Alibaba Cloud Bailian (DashScope) MCP service. Use when: user asks for latest news, real-time information, current events, or...

2· 507·2 current·2 all-time
by@zengxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the required environment variable (DASHSCOPE_API_KEY) and network endpoints (dashscope.aliyuncs.com). However, SKILL.md and metadata list 'curl' as a required binary even though the shipped search.sh invokes python3 only; conversely the Python code depends on the third‑party 'requests' library which is not declared in the metadata. These are inconsistencies (likely oversights) but not directly malicious.
Instruction Scope
Runtime instructions are limited to reading the DASHSCOPE_API_KEY, opening SSE connections to Bailian endpoints, and returning results. The SKILL.md does not instruct reading other system files or unrelated credentials. One minor mismatch: SKILL.md claims "No data is stored or logged by this skill," but the script prints SSE events and error details to stderr (which could expose event contents in logs).
Install Mechanism
No install spec (instruction-only skill + code file). No remote downloads or installers are invoked by the skill itself, reducing install-time risk. Files are included in the package (search.sh, SKILL.md, etc.).
Credentials
The skill requires a single credential (DASHSCOPE_API_KEY), which is appropriate for a web‑search integration. Caveats: SKILL.md suggests storing the API key in shell profile or via 'openclaw config', both of which are persistent choices—ensure you understand where OpenClaw stores that config and who/what can read it on your system.
Persistence & Privilege
The skill does not set always: true, does not request elevated privileges, and does not modify other skills or global agent settings. It is user‑invocable and may be invoked autonomously by the agent (default behavior).
Assessment
Before installing: (1) Verify the skill source/author (ownerId is not a recognizable publisher). (2) Review search.sh yourself — it only contacts dashscope.aliyuncs.com and reads DASHSCOPE_API_KEY. (3) Ensure Python's 'requests' library is available on the host (pip install requests) or the script will fail; the package does not declare this dependency. (4) Prefer storing the API key in a secure secrets manager rather than plain ~/.bashrc; if you use 'openclaw config set', confirm where OpenClaw persists that value and who/what can read it. (5) If you are uncomfortable with persistent storage, use a temporary environment variable when invoking the skill. (6) The metadata unnecessarily lists 'curl' as required — this appears to be a small metadata bug rather than malicious behavior. If you need higher assurance, ask the publisher for a trusted source URL or sign-off and consider running the skill in an isolated environment the first time.

Like a lobster shell, security has layers — review code before you run it.

latestvk973tcg7y5w3fpkykeakxwbab183fzq9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binscurl, python3
EnvDASHSCOPE_API_KEY

Comments