← 返回 Skills 市场
248
总下载
1
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install mimo-web-search
功能描述
基于小米 MiMo 模型提供实时联网搜索,支持最新信息查询与资料核对,需配置 API Key 并付费使用。
安全使用建议
Key things to consider before installing:
- Metadata mismatch: the registry advertises no required env vars but both SKILL.md and index.js require MIMO_API_KEY. Ask the publisher to update the registry entry so the required credential is explicit (primaryEnv should be MIMO_API_KEY).
- Shell injection risk: the implementation builds and runs a curl command via child_process.exec with the query embedded in JSON without proper escaping. Malicious or accidental input could break the command and enable injection. Prefer using an in-process HTTP client (fetch/axios/https.request) or securely escape inputs before using exec.
- Verify the API endpoint and publisher: source/homepage are missing. Confirm api.xiaomimimo.com is the legitimate MiMo API endpoint and that you trust the publisher before providing an API key.
- Costs and tests: test.js and examples will make live API calls and incur charges. Only run tests with a valid (and limited) API key and in an environment where you accept the billing risk.
- Mitigations: update the package/registry metadata to declare MIMO_API_KEY, replace shell exec with a safe HTTP client or properly escape inputs, and limit the API key's scope/permissions where possible. If you cannot validate the endpoint or publisher, avoid installing or provide a restricted key.
功能分析
Type: OpenClaw Skill
Name: mimo-web-search
Version: 1.0.1
The skill contains a critical shell injection vulnerability in index.js. It uses child_process.exec to execute a curl command where the user-provided query is included in a JSON payload wrapped in single quotes. Because JSON.stringify does not escape single quotes, a crafted query (e.g., containing '; command ;) can break out of the shell string and execute arbitrary commands on the host. While the skill appears to be a legitimate tool for the MiMo search API (api.xiaomimimo.com), the unsafe handling of user input makes it highly vulnerable to exploitation.
能力评估
Purpose & Capability
The skill's name, SKILL.md, and code all describe a MiMo web-search integration and call https://api.xiaomimimo.com, which is coherent with the description. However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and index.js require MIMO_API_KEY. The missing declared env var in the metadata is an inconsistency that should be corrected or explained. Source/homepage are unknown which reduces traceability.
Instruction Scope
The runtime instructions tell the agent to call the MiMo API via curl/exec and to store an API key in MIMO_API_KEY — that is within scope. However the provided code builds a shell curl command by embedding JSON that includes user-provided query text directly into a single-quoted string and then runs it via child_process.exec. This can lead to shell/command injection if queries contain special characters (the code does not properly escape or avoid the shell). The SKILL.md examples repeat this pattern. Tests (test.js) will attempt real API calls, so installing/running tests may make live requests/cost money.
Install Mechanism
There is no install spec (instruction-only style); the package contains small Node.js files with no external dependencies. No downloads from arbitrary URLs or package installs are requested. This limits supply-chain risk compared to remote fetch/install flows.
Credentials
Only a single credential (an API key) is actually required at runtime (MIMO_API_KEY), which is reasonable for a web-search integration. However the registry metadata fails to declare this required env var or a primaryEnv, creating a mismatch between what the skill needs and what the registry advertises. That mismatch reduces transparency and is a governance concern. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configs, and requires no special system privileges. autonomous invocation is allowed by default (not flagged here) and there is no evidence this skill attempts to persist tokens or escalate privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mimo-web-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/mimo-web-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Initial release: MiMo 联网搜索技能,支持通过小米 MiMo 模型的联网搜索功能进行实时信息搜索
v1.0.0
- 首次发布,集成小米 MiMo v2 系列模型的联网搜索功能
- 支持实时信息查询和最新动态检索
- 通过 exec 工具调用 MiMo 联网搜索 API
- 提供详细的 API Key 配置和使用方法
- 包含模型和计费要求、错误及故障排除指导
元数据
常见问题
MiMo 联网搜索 是什么?
基于小米 MiMo 模型提供实时联网搜索,支持最新信息查询与资料核对,需配置 API Key 并付费使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 248 次。
如何安装 MiMo 联网搜索?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mimo-web-search」即可一键安装,无需额外配置。
MiMo 联网搜索 是免费的吗?
是的,MiMo 联网搜索 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MiMo 联网搜索 支持哪些平台?
MiMo 联网搜索 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MiMo 联网搜索?
由 EnderXiao(@enderxiao)开发并维护,当前版本 v1.0.1。
推荐 Skills