← Back to Skills Marketplace
media-search
by
liushilong-dodo
· GitHub ↗
· v1.0.0
· MIT-0
86
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install media-search
Description
当用户需要写新闻、找素材、查背景、核实信息、了解事件来龙去脉,或者提到"查一下"、"搜一下"、"找找相关报道"、"有什么最新消息"时,或开展互联网线索数据挖掘、新闻选题策划、内容采编、监测竞品或特定信源动态等业务时,需要进行全网媒体稿件检索、查找事件背景、行业数据、政策动态、人物信息、历史脉络等,都应使用此技能
Usage Guidance
This package appears to be a normal client for a third‑party media API and legitimately needs the two environment variables it requests. Before installing or running it, consider: (1) The code disables TLS verification (requests use verify=False and urllib3 warnings are suppressed) — this weakens transport security and can expose credentials/data to MitM; avoid using it on untrusted networks or modify the code to enable certificate verification. (2) The tool persists an access token and query results in the skill directory (.mbd_token_cache.json and sources/). These files contain tokens, appid and full query results — set restrictive filesystem permissions, keep them out of backups, and delete when not needed. (3) Confirm you trust the API host (mbdapi.fzdzyun.com): credentials you supply will be sent there. (4) The bundle contains executable Python code (not purely instruction-only), so review the code or run in a sandbox if you are uncertain. If you accept these tradeoffs, provide the two environment variables; otherwise, do not install/run the skill or patch the code to enforce TLS and control where tokens/results are stored.
Capability Analysis
Type: OpenClaw Skill
Name: media-search
Version: 1.0.0
The skill bundle is a functional tool for searching a media database via the Founder Electronics (fzdzyun.com) API, but it contains security vulnerabilities. Specifically, both `scripts/media_search.py` and `scripts/token_manager.py` explicitly disable SSL certificate verification (`verify=False`), which exposes the agent to Man-in-the-Middle (MITM) attacks when handling sensitive API keys and tokens. While the code follows its stated purpose and lacks clear evidence of intentional malice or data exfiltration, the intentional bypass of standard transport security protocols meets the criteria for a 'suspicious' classification.
Capability Assessment
Purpose & Capability
Name/description (media search, news/background checks) aligns with the code and declared requirements: the package calls a media-data API and requires NEWS_BIGDATA_API_KEY and NEWS_BIGDATA_API_SECRET. The requested secrets and networking to mbdapi.fzdzyun.com are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs running search.py with JSON input and documents the same environment variables the code reads. The runtime behavior is bounded to search operations, but the tool saves full results into a local sources/ directory and writes a token cache file (.mbd_token_cache.json) in the skill directory (this is documented). There is no instruction to read unrelated system files or other credentials.
Install Mechanism
There is no install script; dependencies are standard Python packages listed in requirements.txt. The code is included in the bundle, so nothing is downloaded at install time. Note: SKILL metadata described the skill as 'instruction-only' but the package contains executable code — this is an informational mismatch (not necessarily malicious).
Credentials
The skill only requires two environment variables (NEWS_BIGDATA_API_KEY and NEWS_BIGDATA_API_SECRET), which align with its API usage. It persists tokens to a local file and logs parts of the appid in logs; storing tokens locally is expected but increases local exposure of credentials if the directory is shared or backed up.
Persistence & Privilege
The skill writes two persistent artifacts into its directory by default: a token cache file (.mbd_token_cache.json) and saved search results under sources/. Those files contain tokens, query parameters and results and can leak sensitive data if the directory is accessible. The skill is not always:true and does not request elevated system privileges, but local file writes are significant and should be accepted explicitly by the user.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install media-search - After installation, invoke the skill by name or use
/media-search - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of media-search skill for comprehensive media content searching.
- Supports search by keywords, time range, source, and data type, with advanced rules for keyword splitting and time parsing.
- Provides results via JSON file output or formatted console output.
- Flexible filtering, parameter validation, and error handling included.
- Result storage management, environment variable requirements, and workflow integration guidance provided.
Metadata
Frequently Asked Questions
What is media-search?
当用户需要写新闻、找素材、查背景、核实信息、了解事件来龙去脉,或者提到"查一下"、"搜一下"、"找找相关报道"、"有什么最新消息"时,或开展互联网线索数据挖掘、新闻选题策划、内容采编、监测竞品或特定信源动态等业务时,需要进行全网媒体稿件检索、查找事件背景、行业数据、政策动态、人物信息、历史脉络等,都应使用此技能. It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.
How do I install media-search?
Run "/install media-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is media-search free?
Yes, media-search is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does media-search support?
media-search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created media-search?
It is built and maintained by liushilong-dodo (@liushilong-dodo); the current version is v1.0.0.
More Skills