← Back to Skills Marketplace
Nyne Search
by
Michael Fanous
· GitHub ↗
· v1.0.0
645
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install nyne-search
Description
Search for people using natural language queries with the Nyne Search API. Find professionals by role, company, location, industry, or any combination. Suppo...
Usage Guidance
This skill's instructions implement a people-search API and request an API key + secret, but the registry metadata does not declare those env vars or the runtime binaries (curl, jq, python3) used in examples. Before installing: 1) Confirm you trust api.nyne.ai and understand billing/credits for email/phone enrichment. 2) Ensure the agent environment has curl, jq, and python3 or update the skill metadata to declare them. 3) Be aware the skill will surface potentially sensitive PII (emails, phone numbers, work history); confirm this is legally and ethically acceptable for your use. 4) Avoid echoing secrets into logs or shells; if you must verify env vars, use safer checks (e.g., check for non-empty values rather than printing fragments). 5) If you need stronger guarantees, ask the author to fix the metadata (declare NYNE_API_KEY and NYNE_API_SECRET as required env vars and list required binaries) and to document privacy/retention behavior for returned profiles.
Capability Analysis
Type: OpenClaw Skill
Name: nyne-search
Version: 1.0.0
The skill is suspicious due to a shell injection vulnerability in SKILL.md. The `curl` command used for polling results, `curl -s "https://api.nyne.ai/person/search?request_id=$REQUEST_ID"`, directly embeds the `$REQUEST_ID` variable into a double-quoted string. If the Nyne API returns a `request_id` containing shell metacharacters (e.g., `$(command)`), this could lead to arbitrary command execution on the agent's host. This is a critical vulnerability, although it does not demonstrate intentional malice from the skill developer.
Capability Assessment
Purpose & Capability
The SKILL.md clearly implements a people-search integration with Nyne (query submission, polling, showing profiles and optional contact enrichment). Requesting API key/secret and returning emails/phones is coherent with a people-search service. However, the registry metadata lists no required environment variables or binaries while the instructions require NYNE_API_KEY and NYNE_API_SECRET and use curl, jq, and python3 — a metadata/instruction mismatch.
Instruction Scope
Instructions direct the agent to display 'all returned data' for each profile (including emails, phone numbers, work history, education, patents), which is expected but high privacy/PII exposure. The SKILL.md also defines helper shell functions and writes results to /tmp/nyne_search.json. It echoes a partial secret for verification, which can leak secrets into shell history or logs. The instructions do not attempt to exfiltrate data to unexpected endpoints, but they do instruct broad disclosure of personally identifiable information — confirm legal/privacy appropriateness.
Install Mechanism
There is no install spec (instruction-only), which is low risk for code execution. However, the runtime examples assume availability of curl, jq, and python3; the skill metadata did not declare these required binaries. That mismatch can lead to runtime failures or hidden assumptions about the agent environment.
Credentials
The SKILL.md requires NYNE_API_KEY and NYNE_API_SECRET — appropriate for the API — but the registry metadata claims no required env vars or primary credential. This is a substantive inconsistency. Also note the skill enables optional flags that incur credit costs and return sensitive contact details; ensure the API key's billing and access scope are understood before use. The practice of echoing parts of secrets can leak them to logs or histories.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not include install-time modifications or cross-skill config changes. It is user-invocable and allows autonomous invocation by the model (default), which is normal — no extra persistence privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nyne-search - After installation, invoke the skill by name or use
/nyne-search - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of nyne-search skill.
- Enables searching for professionals by natural language query with Nyne Search API, supporting filters by role, company, location, industry, and more.
- Supports three search tiers (light, medium, premium), async search flow (POST to submit, poll GET with request_id), and result pagination.
- Returns comprehensive profile data: contact enrichment, work history, education, skills, patents, social, interests, AI relevance scoring, and insights.
- Provides detailed usage, setup, and robust JSON parsing instructions to handle API responses.
Metadata
Frequently Asked Questions
What is Nyne Search?
Search for people using natural language queries with the Nyne Search API. Find professionals by role, company, location, industry, or any combination. Suppo... It is an AI Agent Skill for Claude Code / OpenClaw, with 645 downloads so far.
How do I install Nyne Search?
Run "/install nyne-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nyne Search free?
Yes, Nyne Search is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Nyne Search support?
Nyne Search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nyne Search?
It is built and maintained by Michael Fanous (@michaelfanous2); the current version is v1.0.0.
More Skills