← 返回 Skills 市场
haru3613

Perplexity AI Search - security-hardened version (bash-based)

作者 haru3613 · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
918
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install perplexity-safe
功能描述
Use Perplexity API for web-grounded AI search. Use when user needs up-to-date information with source citations, factual queries about current events, or research-style answers. Default when user mentions Perplexity or needs current information with references.
安全使用建议
This package is functionally consistent with a Perplexity API client and shows attention to common shell security issues, but pay attention to three things before installing/using it: 1) Metadata mismatch: the registry claims no required env vars or binaries, but the script needs an API key (PERPLEXITY_API_KEY or config.json) and requires bash, curl, and python3. Treat the API key as sensitive and do not provide it without confirming where the platform will store/use it. 2) Temporary auth file: the script writes the Authorization header to a temp file (mode 600) and deletes it; this reduces exposure but is not risk-free (race conditions, leftover files if the process is killed in unusual ways). If you are highly sensitive, review the script and consider running it in a sandbox or modifying it to use a more secure secret mechanism your environment provides. 3) Verify origin and endpoint: source and homepage are unknown. Confirm the endpoint (https://api.perplexity.ai/chat/completions) and the included code align with the published API and trustworthiness of the package owner. If you do not trust the publisher, run the script in an isolated environment or prefer an officially supported integration. If you plan to install this skill: request the publisher update registry metadata to declare the required env var(s) and binaries, inspect the code yourself (or ask a colleague), and avoid supplying production API keys until you are confident in provenance.
功能分析
Type: OpenClaw Skill Name: perplexity-safe Version: 1.0.1 The `scripts/perplexity_search.sh` script is well-hardened against command injection and API key exposure, validating inputs and securely handling credentials as claimed in `SKILL.md`. However, the `_claude/settings.local.json` file grants `WebFetch` permissions to `github.com`, `raw.githubusercontent.com`, and `api.github.com`. These permissions are not utilized by the provided script, which only interacts with `api.perplexity.ai`. This over-permissioning represents a vulnerability, as it grants capabilities beyond the skill's stated purpose, making the bundle suspicious.
能力评估
Purpose & Capability
The skill's stated purpose is Perplexity web-grounded search and the code indeed implements a Perplexity API client. However the registry metadata claims no required environment variables or binaries, while the script requires an API key (PERPLEXITY_API_KEY or config.json) and depends on bash, curl, and python3. This mismatch between what the skill needs and what the registry declares is an incoherence a user should be aware of.
Instruction Scope
SKILL.md and the script keep behavior within the stated purpose: they build a JSON body, POST to the configured Perplexity endpoint, and parse citations. The runtime instructions do not ask the agent to read unrelated system files or other credentials. The skill documents mitigations for command-injection and process-list leakage, and the script largely follows those mitigations (passing user input via environment variables into python, validating inputs). Minor risks remain (temporary file use for the Authorization header; reliance on parsing response structure), but overall the instructions stay within scope.
Install Mechanism
No install spec is provided (instruction-only with an included script). That is low-risk from an installation perspective — nothing is downloaded or executed automatically beyond the provided script. The included code is readable and present in the package.
Credentials
The skill requires an API key (documented in SKILL.md and enforced by the script) and depends on curl and python3, but the registry metadata lists no required env vars or required binaries. The missing declaration of a sensitive credential (PERPLEXITY_API_KEY or config.json with apiKey) is the primary proportionality issue. The number of secrets requested is small and appropriate for the purpose, but it is not declared where the platform expects it.
Persistence & Privilege
The skill does not request permanent/force-included presence (always:false), does not modify other skills or global agent settings, and does not require elevated OS privileges. It writes a short-lived temp file for curl config (mode 600) and removes it; this is normal operational behavior, not a persistence privilege escalation.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install perplexity-safe
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /perplexity-safe 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Improved API key security: The Authorization header is now provided to curl via a temporary config file (`curl -K`, mode 600), further preventing exposure in process listings. - Clarified security notes to reflect the updated key handling method, emphasizing additional protection of API secrets. - No code or file changes; documentation update only.
v1.0.0
Perplexity AI Search (Safe Edition) 1.0.0 - Initial release of a security-hardened Perplexity API search skill. - Prevents command injection and secures API key handling. - Adds robust input validation and strict model allowlist. - Supports up-to-date factual search with real-time citations, multiple models, and adjustable context size. - Documentation details setup, usage, options, cost awareness, and troubleshooting.
元数据
Slug perplexity-safe
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Perplexity AI Search - security-hardened version (bash-based) 是什么?

Use Perplexity API for web-grounded AI search. Use when user needs up-to-date information with source citations, factual queries about current events, or research-style answers. Default when user mentions Perplexity or needs current information with references. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 918 次。

如何安装 Perplexity AI Search - security-hardened version (bash-based)?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install perplexity-safe」即可一键安装,无需额外配置。

Perplexity AI Search - security-hardened version (bash-based) 是免费的吗?

是的,Perplexity AI Search - security-hardened version (bash-based) 完全免费(开源免费),可自由下载、安装和使用。

Perplexity AI Search - security-hardened version (bash-based) 支持哪些平台?

Perplexity AI Search - security-hardened version (bash-based) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Perplexity AI Search - security-hardened version (bash-based)?

由 haru3613(@haru3613)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论