技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 30 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:airaalfredsf/aira-smart-search
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's behaviour (reading global openclaw.json for API keys, persisting shared quota and searchable logs in ~/.openclaw, and requiring npm dependencies via included scripts) is coherent with its stated purpose but the package metadata does not declare the sensitive environment variables and shared-file access it needs — this mismatch and the persistent logging of queries are worth caution.
目的
The skill claims to route searches via Gemini and Brave APIs and to use a shared quota file. The implementation expects GEMINI_API_KEY and BRAVE_API_KEY to live in the top-level env block of ~/.openclaw/openclaw.json and uses a shared quota file under ~/.openclaw/workspace/shared. However the registry metadata declares no required environment variables or primary credential — that is inconsistent and under-declares the sensitive credentials an…
说明范围
SKILL.md and index.js instruct the agent to read the global openclaw.json, read/write a shared quota JSON at ~/.openclaw/workspace/shared/search-quota.json, and log all searches to a logs directory next to the quota file. That means user queries (possibly sensitive) are persisted to disk and are visible to other agents/processes that can read that directory. The skill also performs web_fetch fallbacks and calls external providers — expected fo…
安装机制
There is no remote download; the repository includes code and two shell scripts (setup.sh and reset-quota.sh). setup.sh runs 'npm install' (traceable dependency 'proper-lockfile') and creates ~/.openclaw workspace and quota file. This is moderate-risk because code will be executed locally and npm install runs arbitrary package scripts, but no external ad-hoc binary download URLs or URL shorteners are used.
证书
Although the registry lists no required env vars, the code reads config.env.GEMINI_API_KEY and config.env.BRAVE_API_KEY from the global openclaw.json. It also respects SEARCH_QUOTA_PATH and OPENCLAW_CONFIG_PATH overrides. Reading the entire openclaw.json can expose other top-level env secrets stored there. The skill therefore requires access to sensitive API keys and a shared filesystem location — these are not declared in the metadata and are…
持久
The skill persists live quota state and search logs to a shared workspace under the user's home directory and uses file locking to coordinate concurrent access. Persisting full search logs (and potentially query results) to a shared file increases the risk of leaking sensitive queries to other local agents or users. The skill does not request 'always: true' and does not modify other skills, but its write access to a shared path and global conf…
index.js:22
Environment variable access combined with network send.
index.js:234
File read combined with network send (possible exfiltration).
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「smart-search」。简介:Intelligent web search routing across Gemini and Brave APIs with quota manageme…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/airaalfredsf/aira-smart-search/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。