← Back to Skills Marketplace

MiMo 联网搜索

Name: MiMo 联网搜索
Author: enderxiao

by EnderXiao · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

248

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mimo-web-search

Description

基于小米 MiMo 模型提供实时联网搜索，支持最新信息查询与资料核对，需配置 API Key 并付费使用。

Usage Guidance

Key things to consider before installing: - Metadata mismatch: the registry advertises no required env vars but both SKILL.md and index.js require MIMO_API_KEY. Ask the publisher to update the registry entry so the required credential is explicit (primaryEnv should be MIMO_API_KEY). - Shell injection risk: the implementation builds and runs a curl command via child_process.exec with the query embedded in JSON without proper escaping. Malicious or accidental input could break the command and enable injection. Prefer using an in-process HTTP client (fetch/axios/https.request) or securely escape inputs before using exec. - Verify the API endpoint and publisher: source/homepage are missing. Confirm api.xiaomimimo.com is the legitimate MiMo API endpoint and that you trust the publisher before providing an API key. - Costs and tests: test.js and examples will make live API calls and incur charges. Only run tests with a valid (and limited) API key and in an environment where you accept the billing risk. - Mitigations: update the package/registry metadata to declare MIMO_API_KEY, replace shell exec with a safe HTTP client or properly escape inputs, and limit the API key's scope/permissions where possible. If you cannot validate the endpoint or publisher, avoid installing or provide a restricted key.

Capability Analysis

Type: OpenClaw Skill Name: mimo-web-search Version: 1.0.1 The skill contains a critical shell injection vulnerability in index.js. It uses child_process.exec to execute a curl command where the user-provided query is included in a JSON payload wrapped in single quotes. Because JSON.stringify does not escape single quotes, a crafted query (e.g., containing '; command ;) can break out of the shell string and execute arbitrary commands on the host. While the skill appears to be a legitimate tool for the MiMo search API (api.xiaomimimo.com), the unsafe handling of user input makes it highly vulnerable to exploitation.

Capability Assessment

⚠ Purpose & Capability

The skill's name, SKILL.md, and code all describe a MiMo web-search integration and call https://api.xiaomimimo.com, which is coherent with the description. However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and index.js require MIMO_API_KEY. The missing declared env var in the metadata is an inconsistency that should be corrected or explained. Source/homepage are unknown which reduces traceability.

⚠ Instruction Scope

The runtime instructions tell the agent to call the MiMo API via curl/exec and to store an API key in MIMO_API_KEY — that is within scope. However the provided code builds a shell curl command by embedding JSON that includes user-provided query text directly into a single-quoted string and then runs it via child_process.exec. This can lead to shell/command injection if queries contain special characters (the code does not properly escape or avoid the shell). The SKILL.md examples repeat this pattern. Tests (test.js) will attempt real API calls, so installing/running tests may make live requests/cost money.

✓ Install Mechanism

There is no install spec (instruction-only style); the package contains small Node.js files with no external dependencies. No downloads from arbitrary URLs or package installs are requested. This limits supply-chain risk compared to remote fetch/install flows.

⚠ Credentials

Only a single credential (an API key) is actually required at runtime (MIMO_API_KEY), which is reasonable for a web-search integration. However the registry metadata fails to declare this required env var or a primaryEnv, creating a mismatch between what the skill needs and what the registry advertises. That mismatch reduces transparency and is a governance concern. No other unrelated secrets are requested.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills or system configs, and requires no special system privileges. autonomous invocation is allowed by default (not flagged here) and there is no evidence this skill attempts to persist tokens or escalate privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mimo-web-search
After installation, invoke the skill by name or use /mimo-web-search
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Initial release: MiMo 联网搜索技能，支持通过小米 MiMo 模型的联网搜索功能进行实时信息搜索

v1.0.0

- 首次发布，集成小米 MiMo v2 系列模型的联网搜索功能 - 支持实时信息查询和最新动态检索 - 通过 exec 工具调用 MiMo 联网搜索 API - 提供详细的 API Key 配置和使用方法 - 包含模型和计费要求、错误及故障排除指导

Metadata

Slug mimo-web-search

Version 1.0.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is MiMo 联网搜索?

基于小米 MiMo 模型提供实时联网搜索，支持最新信息查询与资料核对，需配置 API Key 并付费使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 248 downloads so far.

How do I install MiMo 联网搜索?

Run "/install mimo-web-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is MiMo 联网搜索 free?

Yes, MiMo 联网搜索 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does MiMo 联网搜索 support?

MiMo 联网搜索 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created MiMo 联网搜索?

It is built and maintained by EnderXiao (@enderxiao); the current version is v1.0.1.

More Skills