中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
openclaw-free-search
Free web search for OpenClaw without API keys, using DuckDuckGo Instant Answer API
A straightforward web search utility using DuckDuckGo with a legitimate network fallback mechanism; minor documentation gap regarding shell execution.
Skill Nameopenclaw-free-search
Duration25.0s
Enginepi
Safe to install
Document the execFileSync/curl fallback in SKILL.md for full transparency. Otherwise safe to use.

Findings 2 items

Severity Finding Location
Low
Undeclared shell fallback mechanism
search.js uses execFileSync('curl', ...) as a fallback when the fetch API cannot reach DuckDuckGo. This is not documented in SKILL.md. While a legitimate network fallback (common in regions where DuckDuckGo is blocked), it should be declared for transparency.
const out = execFileSync('curl', ['-s', '-L', '--max-time', '15', url], {...})
→ Add 'Shell execution (curl fallback)' to the capability declaration in SKILL.md
 search.js:28
Info
Monetized external links in documentation
SKILL.md includes a paid installation service (¥99-299) and a landing page. This is a commercial upsell but not a security concern.
📧 **Installation Service**: ¥99-299
→ No action needed; informational only
 SKILL.md:42
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned search.js:17 — fetch(url) to DuckDuckGo API
Shell NONE WRITE ✓ Aligned search.js:28 — execFileSync('curl', [...]) as network fallback
Filesystem NONE NONE No file read/write operations found
Environment NONE NONE No environment variable access
2 findings
🔗
Medium External URL 外部 URL
https://yang1002378395-cmyk.github.io/openclaw-install-service/
SKILL.md:45
🔗
Medium External URL 外部 URL
https://api.duckduckgo.com/?q=$
search.js:18

File Tree

2 files · 3.5 KB · 124 lines
JavaScript 1f · 75L Markdown 1f · 49L
├─ 📜 search.js JavaScript 75L · 2.3 KB
└─ 📝 SKILL.md Markdown 49L · 1.2 KB

Security Positives

✓ No credential harvesting or environment variable enumeration
✓ No data exfiltration or external IP POST requests
✓ No base64/eval obfuscation or hidden instructions
✓ Uses a well-known, legitimate free API (DuckDuckGo)
✓ Query parameter is properly sanitized via encodeURIComponent
✓ No filesystem write or sensitive path access
✓ No reverse shell, C2, or suspicious network patterns
✓ No dependency on untrusted external scripts