扫描报告
20 /100
openclaw-free-search
Free web search for OpenClaw without API keys, using DuckDuckGo Instant Answer API
A straightforward web search utility using DuckDuckGo with a legitimate network fallback mechanism; minor documentation gap regarding shell execution.
可以安装
Document the execFileSync/curl fallback in SKILL.md for full transparency. Otherwise safe to use.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Undeclared shell fallback mechanism | search.js:28 |
| 提示 | Monetized external links in documentation | SKILL.md:42 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | search.js:17 — fetch(url) to DuckDuckGo API |
| 命令执行 | NONE | WRITE | ✓ 一致 | search.js:28 — execFileSync('curl', [...]) as network fallback |
| 文件系统 | NONE | NONE | — | No file read/write operations found |
| 环境变量 | NONE | NONE | — | No environment variable access |
2 项发现
中危 外部 URL 外部 URL
https://yang1002378395-cmyk.github.io/openclaw-install-service/ SKILL.md:45 中危 外部 URL 外部 URL
https://api.duckduckgo.com/?q=$ search.js:18 目录结构
2 文件 · 3.5 KB · 124 行 JavaScript 1f · 75L
Markdown 1f · 49L
├─
search.js
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ No credential harvesting or environment variable enumeration
✓ No data exfiltration or external IP POST requests
✓ No base64/eval obfuscation or hidden instructions
✓ Uses a well-known, legitimate free API (DuckDuckGo)
✓ Query parameter is properly sanitized via encodeURIComponent
✓ No filesystem write or sensitive path access
✓ No reverse shell, C2, or suspicious network patterns
✓ No dependency on untrusted external scripts