← 返回 Skills 市场
Web Claude
作者
mupengi-bot
· GitHub ↗
· v1.0.0
1747
总下载
0
收藏
15
当前安装
1
版本数
在 OpenClaw 中安装
/install mupeng-web-claude
功能描述
Unified web search skill. Fallback order — web_search(Brave) → duckduckgo → claude.ai. Auto-cache search results (saved to memory/research/)
安全使用建议
This skill mostly does what it says (three-tier web search plus caching), but there are important omissions and privacy concerns you should resolve before installing:
- Ask the author to explicitly declare required credentials and dependencies in the registry metadata: Brave API key (or how web_search obtains it), any duckduckgo_search Python package requirement, and that a logged-in claude.ai/OpenClaw browser is required.
- Understand and control local caching: the skill will auto-create memory/research/ and write every query and results there. If you may query sensitive topics, turn off caching or inspect/clean that folder regularly.
- Confirm runtime assumptions: the SKILL.md assumes Python and the duckduckgo_search package and an OpenClaw browser listening on port 18800. If you don't want those present, do not enable the skill.
- Rate-limit and automation detection: the skill instructs automated queries against claude.ai and warns about automation detection; use cautiously and prefer DuckDuckGo or Brave where possible.
- If you cannot verify the author or prefer tighter control, run the skill in a sandboxed agent with no access to sensitive credentials or restrict the skill's ability to write persistent storage.
If the author updates the metadata to declare required env vars (Brave key, any claude.ai token usage) and the dependency list (duckduckgo_search, Python), and documents the caching behavior and opt-out, this assessment could move to benign.
功能分析
Type: OpenClaw Skill
Name: mupeng-web-claude
Version: 1.0.0
The skill is classified as suspicious due to the direct command execution mechanism using `python -c "..."` for the DuckDuckGo search functionality in SKILL.md. While the provided example is benign, this pattern introduces a significant prompt injection vulnerability. A malicious prompt could instruct the AI agent to construct and execute arbitrary shell commands via this mechanism, leading to potential remote code execution, even though the skill itself does not exhibit explicit malicious intent like data exfiltration or persistence.
能力评估
Purpose & Capability
The name/description (unified web search with Brave → DuckDuckGo → claude.ai) matches the SKILL.md behavior. However, the SKILL.md explicitly says a Brave API key is required and the claude.ai browser/login is required, yet the registry metadata lists no required env vars or primary credential. That discrepancy (claimed requirements not declared) is an incoherence.
Instruction Scope
Instructions are explicit about three-tier search and browser automation against claude.ai (navigate, type, press Enter, wait, snapshot). They also instruct automatic caching of every search result to memory/research/. These behaviors are within the stated search purpose, but the automatic persistent storage of search queries/results can leak sensitive queries and is not surfaced in the skill metadata or permission list.
Install Mechanism
This is instruction-only with no install spec or downloadable artifacts, so there's no installer risk. However, instructions assume third-party runtime components (Python and the duckduckgo_search library, and OpenClaw browser on port 18800) that are not declared as requirements.
Credentials
The SKILL.md refers to a Brave API key and to interacting with claude.ai (implying an authenticated session), but the skill metadata declares no required env vars/credentials. It also assumes access to a local memory path (memory/research/) where it will write cached results. Missing declarations of these credentials/dependencies is disproportionate and risky—users won't be informed about credential needs or persistent storage.
Persistence & Privilege
always:false and standard autonomous invocation behavior are fine. The more relevant persistence risk is that the skill will auto-create and write files into memory/research/ for every query. That is normal for a cache but is not declared in the metadata and can persist sensitive queries/results.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mupeng-web-claude - 安装完成后,直接呼叫该 Skill 的名称或使用
/mupeng-web-claude触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Unified web search: Brave → DuckDuckGo → Claude.ai fallback
元数据
常见问题
Web Claude 是什么?
Unified web search skill. Fallback order — web_search(Brave) → duckduckgo → claude.ai. Auto-cache search results (saved to memory/research/). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1747 次。
如何安装 Web Claude?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mupeng-web-claude」即可一键安装,无需额外配置。
Web Claude 是免费的吗?
是的,Web Claude 完全免费(开源免费),可自由下载、安装和使用。
Web Claude 支持哪些平台?
Web Claude 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Web Claude?
由 mupengi-bot(@mupengi-bot)开发并维护,当前版本 v1.0.0。
推荐 Skills