Search codebases for patterns, symbols, and TODOs. Use when navigating large codebases.

This skill appears to do what it claims: local codebase searches using grep/find. It does not request credentials or perform network calls. Before installing or running it on sensitive systems, review the included scripts (they're small and readable). Note two practical cautions: (1) the scripts create ~/.local/share/code-searcher but don't currently store search results there (harmless but inconsistent with the README); (2) the scripts use unquoted shell variables in a few grep/find calls, which can mishandle patterns with spaces or unusual characters—prefer passing safe, validated paths/patterns or improve the scripts to quote arguments if you plan to use them with untrusted input. If you need stricter guarantees, run the skill in a constrained environment or inspect/modify the scripts to add proper quoting and any logging/persistence behavior you expect.

Type: OpenClaw Skill Name: code-searcher Version: 3.0.0 The skill contains multiple shell injection vulnerabilities in `scripts/script.sh` because user-supplied arguments (patterns and directories) are passed unquoted to commands like `grep` and `find` (e.g., in `cmd_find` and `cmd_grep`). Additionally, `scripts/the_silver_searcher.sh` is a misleading placeholder script that references a popular third-party tool (The Silver Searcher) without providing any actual functionality. While these issues represent significant security flaws and poor practices, there is no clear evidence of intentional malicious behavior or data exfiltration.