← 返回 Skills 市场
media-search
作者
liushilong-dodo
· GitHub ↗
· v1.0.0
· MIT-0
86
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install media-search
功能描述
当用户需要写新闻、找素材、查背景、核实信息、了解事件来龙去脉,或者提到"查一下"、"搜一下"、"找找相关报道"、"有什么最新消息"时,或开展互联网线索数据挖掘、新闻选题策划、内容采编、监测竞品或特定信源动态等业务时,需要进行全网媒体稿件检索、查找事件背景、行业数据、政策动态、人物信息、历史脉络等,都应使用此技能
安全使用建议
This package appears to be a normal client for a third‑party media API and legitimately needs the two environment variables it requests. Before installing or running it, consider: (1) The code disables TLS verification (requests use verify=False and urllib3 warnings are suppressed) — this weakens transport security and can expose credentials/data to MitM; avoid using it on untrusted networks or modify the code to enable certificate verification. (2) The tool persists an access token and query results in the skill directory (.mbd_token_cache.json and sources/). These files contain tokens, appid and full query results — set restrictive filesystem permissions, keep them out of backups, and delete when not needed. (3) Confirm you trust the API host (mbdapi.fzdzyun.com): credentials you supply will be sent there. (4) The bundle contains executable Python code (not purely instruction-only), so review the code or run in a sandbox if you are uncertain. If you accept these tradeoffs, provide the two environment variables; otherwise, do not install/run the skill or patch the code to enforce TLS and control where tokens/results are stored.
功能分析
Type: OpenClaw Skill
Name: media-search
Version: 1.0.0
The skill bundle is a functional tool for searching a media database via the Founder Electronics (fzdzyun.com) API, but it contains security vulnerabilities. Specifically, both `scripts/media_search.py` and `scripts/token_manager.py` explicitly disable SSL certificate verification (`verify=False`), which exposes the agent to Man-in-the-Middle (MITM) attacks when handling sensitive API keys and tokens. While the code follows its stated purpose and lacks clear evidence of intentional malice or data exfiltration, the intentional bypass of standard transport security protocols meets the criteria for a 'suspicious' classification.
能力评估
Purpose & Capability
Name/description (media search, news/background checks) aligns with the code and declared requirements: the package calls a media-data API and requires NEWS_BIGDATA_API_KEY and NEWS_BIGDATA_API_SECRET. The requested secrets and networking to mbdapi.fzdzyun.com are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs running search.py with JSON input and documents the same environment variables the code reads. The runtime behavior is bounded to search operations, but the tool saves full results into a local sources/ directory and writes a token cache file (.mbd_token_cache.json) in the skill directory (this is documented). There is no instruction to read unrelated system files or other credentials.
Install Mechanism
There is no install script; dependencies are standard Python packages listed in requirements.txt. The code is included in the bundle, so nothing is downloaded at install time. Note: SKILL metadata described the skill as 'instruction-only' but the package contains executable code — this is an informational mismatch (not necessarily malicious).
Credentials
The skill only requires two environment variables (NEWS_BIGDATA_API_KEY and NEWS_BIGDATA_API_SECRET), which align with its API usage. It persists tokens to a local file and logs parts of the appid in logs; storing tokens locally is expected but increases local exposure of credentials if the directory is shared or backed up.
Persistence & Privilege
The skill writes two persistent artifacts into its directory by default: a token cache file (.mbd_token_cache.json) and saved search results under sources/. Those files contain tokens, query parameters and results and can leak sensitive data if the directory is accessible. The skill is not always:true and does not request elevated system privileges, but local file writes are significant and should be accepted explicitly by the user.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install media-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/media-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of media-search skill for comprehensive media content searching.
- Supports search by keywords, time range, source, and data type, with advanced rules for keyword splitting and time parsing.
- Provides results via JSON file output or formatted console output.
- Flexible filtering, parameter validation, and error handling included.
- Result storage management, environment variable requirements, and workflow integration guidance provided.
元数据
常见问题
media-search 是什么?
当用户需要写新闻、找素材、查背景、核实信息、了解事件来龙去脉,或者提到"查一下"、"搜一下"、"找找相关报道"、"有什么最新消息"时,或开展互联网线索数据挖掘、新闻选题策划、内容采编、监测竞品或特定信源动态等业务时,需要进行全网媒体稿件检索、查找事件背景、行业数据、政策动态、人物信息、历史脉络等,都应使用此技能. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 86 次。
如何安装 media-search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install media-search」即可一键安装,无需额外配置。
media-search 是免费的吗?
是的,media-search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
media-search 支持哪些平台?
media-search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 media-search?
由 liushilong-dodo(@liushilong-dodo)开发并维护,当前版本 v1.0.0。
推荐 Skills