ClawHub

Qingbo Search

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Qingbo Search appears to perform the advertised article-search API integration, but users should notice that it requires Qingbo API credentials and sends search requests to an external endpoint.

Before installing, make sure you trust this Qingbo integration, protect the app_key/app_secret you place in config.json, understand that searches may consume Qingbo account points, and use HTTPS or a trusted network where possible.

Static analysis

Exposed secret literal

Critical
Finding
File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The configured Qingbo credentials may allow API use and consume account points, so access to the config file matters.

Why it was flagged

The skill requires users to place Qingbo API credentials in a local configuration file so it can authenticate API requests.

Skill content
"app_key": "您的app_key", "app_secret": "您的app_secret"
Recommendation

Use a dedicated, limited Qingbo API key if possible, protect config.json permissions, and avoid committing the file with real secrets.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Search terms and the generated API access token could be observable on the network if the connection is not protected elsewhere.

Why it was flagged

The skill sends API requests with an access-token header to an external provider endpoint over plain HTTP.

Skill content
const baseUrl = 'http://databus.gsdata.cn:8888/api/service'; ... headers: { 'access-token': accessToken }
Recommendation

Prefer an HTTPS Qingbo endpoint if supported, and avoid sensitive searches or credential use on untrusted networks.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Installing dependencies runs the normal npm supply-chain path for node-fetch and its dependencies.

Why it was flagged

The README expects a package installation step even though the registry shows no install spec.

Skill content
cd skills/qingbo_search
npm install
Recommendation

Install only from the reviewed package, keep the included lockfile, and verify dependency provenance if operating in a sensitive environment.