← 返回 Skills 市场
Nyne Search
作者
Michael Fanous
· GitHub ↗
· v1.0.0
645
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nyne-search
功能描述
Search for people using natural language queries with the Nyne Search API. Find professionals by role, company, location, industry, or any combination. Suppo...
安全使用建议
This skill's instructions implement a people-search API and request an API key + secret, but the registry metadata does not declare those env vars or the runtime binaries (curl, jq, python3) used in examples. Before installing: 1) Confirm you trust api.nyne.ai and understand billing/credits for email/phone enrichment. 2) Ensure the agent environment has curl, jq, and python3 or update the skill metadata to declare them. 3) Be aware the skill will surface potentially sensitive PII (emails, phone numbers, work history); confirm this is legally and ethically acceptable for your use. 4) Avoid echoing secrets into logs or shells; if you must verify env vars, use safer checks (e.g., check for non-empty values rather than printing fragments). 5) If you need stronger guarantees, ask the author to fix the metadata (declare NYNE_API_KEY and NYNE_API_SECRET as required env vars and list required binaries) and to document privacy/retention behavior for returned profiles.
功能分析
Type: OpenClaw Skill
Name: nyne-search
Version: 1.0.0
The skill is suspicious due to a shell injection vulnerability in SKILL.md. The `curl` command used for polling results, `curl -s "https://api.nyne.ai/person/search?request_id=$REQUEST_ID"`, directly embeds the `$REQUEST_ID` variable into a double-quoted string. If the Nyne API returns a `request_id` containing shell metacharacters (e.g., `$(command)`), this could lead to arbitrary command execution on the agent's host. This is a critical vulnerability, although it does not demonstrate intentional malice from the skill developer.
能力评估
Purpose & Capability
The SKILL.md clearly implements a people-search integration with Nyne (query submission, polling, showing profiles and optional contact enrichment). Requesting API key/secret and returning emails/phones is coherent with a people-search service. However, the registry metadata lists no required environment variables or binaries while the instructions require NYNE_API_KEY and NYNE_API_SECRET and use curl, jq, and python3 — a metadata/instruction mismatch.
Instruction Scope
Instructions direct the agent to display 'all returned data' for each profile (including emails, phone numbers, work history, education, patents), which is expected but high privacy/PII exposure. The SKILL.md also defines helper shell functions and writes results to /tmp/nyne_search.json. It echoes a partial secret for verification, which can leak secrets into shell history or logs. The instructions do not attempt to exfiltrate data to unexpected endpoints, but they do instruct broad disclosure of personally identifiable information — confirm legal/privacy appropriateness.
Install Mechanism
There is no install spec (instruction-only), which is low risk for code execution. However, the runtime examples assume availability of curl, jq, and python3; the skill metadata did not declare these required binaries. That mismatch can lead to runtime failures or hidden assumptions about the agent environment.
Credentials
The SKILL.md requires NYNE_API_KEY and NYNE_API_SECRET — appropriate for the API — but the registry metadata claims no required env vars or primary credential. This is a substantive inconsistency. Also note the skill enables optional flags that incur credit costs and return sensitive contact details; ensure the API key's billing and access scope are understood before use. The practice of echoing parts of secrets can leak them to logs or histories.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not include install-time modifications or cross-skill config changes. It is user-invocable and allows autonomous invocation by the model (default), which is normal — no extra persistence privileges are requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nyne-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/nyne-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of nyne-search skill.
- Enables searching for professionals by natural language query with Nyne Search API, supporting filters by role, company, location, industry, and more.
- Supports three search tiers (light, medium, premium), async search flow (POST to submit, poll GET with request_id), and result pagination.
- Returns comprehensive profile data: contact enrichment, work history, education, skills, patents, social, interests, AI relevance scoring, and insights.
- Provides detailed usage, setup, and robust JSON parsing instructions to handle API responses.
元数据
常见问题
Nyne Search 是什么?
Search for people using natural language queries with the Nyne Search API. Find professionals by role, company, location, industry, or any combination. Suppo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 645 次。
如何安装 Nyne Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nyne-search」即可一键安装,无需额外配置。
Nyne Search 是免费的吗?
是的,Nyne Search 完全免费(开源免费),可自由下载、安装和使用。
Nyne Search 支持哪些平台?
Nyne Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Nyne Search?
由 Michael Fanous(@michaelfanous2)开发并维护,当前版本 v1.0.0。
推荐 Skills