← 返回 Skills 市场
Research
作者
BrennerSpear
· GitHub ↗
· v1.0.0
1151
总下载
0
收藏
9
当前安装
1
版本数
在 OpenClaw 中安装
/install research-agent
功能描述
Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes.
安全使用建议
This skill's docs expect a 'parallel-research' CLI and 'export-pdf' script plus a PARALLEL_API_KEY, but those scripts and the env var are not declared or bundled. Before installing or following SETUP.md: 1) Ask the author for the missing scripts (or a trusted release URL) and for a homepage/repo so you can review their code. 2) Do not blindly run the curl | sh installer (astral.sh) — audit that script or install uv/pymupdf via your distro/package manager instead. 3) Prefer storing API keys in a secure secret store or OS keyring rather than echoing into a plaintext file and appending 'export' into ~/.bashrc. 4) If you must symlink scripts, inspect them first and avoid system-wide /usr/local installs unless you trust the source. 5) Verify how cron payloads deliver messages and what data they include (cron jobs could leak results or identifiers to external channels). If the author provides the missing artifacts and a trustworthy source for the uv installer, the architecture is reasonable; without that, the package is inconsistent and should be treated with caution.
功能分析
Type: OpenClaw Skill
Name: research-agent
Version: 1.0.0
The skill is classified as suspicious due to several risky practices and potential vulnerabilities, despite lacking clear evidence of malicious intent. Key indicators include the `SETUP.md` file using `curl -LsSf ... | sh` for installing `uv`, which introduces a supply chain risk, and the use of `export $(cat ... | xargs)` for loading API keys, which can be vulnerable if the `.env` file is untrusted. Most critically, the `OPENCLAW.md` file instructs the agent to schedule cron jobs with a `message` payload that contains direct command execution instructions (e.g., `Run: parallel-research result <run_id>`). While intended for legitimate functionality, this represents a prompt injection vulnerability that could lead to remote code execution if the `<run_id>` or other parts of the message were controllable by an attacker.
能力评估
Purpose & Capability
The skill claims to run deep async research via a 'parallel-research' CLI and to export PDFs via an 'export-pdf' script. However, the package contains only docs (OPENCLAW.md, SETUP.md, SKILL.md) and no scripts or binaries. The instructions expect files under ~/.openclaw/skills/research/scripts/, but those scripts are not present—this mismatch suggests either missing artifacts or sloppy packaging.
Instruction Scope
Runtime instructions tell the agent to create files under ~/.openclaw/workspace/research and to schedule cron jobs that deliver results back to a source channel. They also instruct how to store and expose PARALLEL_API_KEY via a local .env and by appending an export to shell profile. The doc assumes an env var exists and that cron jobs can deliver messages to external channels—these behaviors are plausible for a research skill but the instructions reference environment/config that were not declared and that enable external delivery of results, which increases the risk surface.
Install Mechanism
There is no formal install spec, but SETUP.md recommends symlinking local scripts (which are absent) and running a remote installer via curl (curl -LsSf https://astral.sh/uv/install.sh | sh). Advising an unattended remote install script is high-risk. Also recommending global symlinks (/usr/local/bin) and modifying ~/.bashrc are persistent, privileged operations. The absence of included scripts plus a remote install command is a problematic combination.
Credentials
The skill metadata declares no required env vars, yet the docs repeatedly rely on PARALLEL_API_KEY being present and instruct creating ~/.secrets/parallel_ai/.env and exporting it into the shell profile. Asking users to store an API key in plain text and append it to shell startup without declaring the key in the skill manifest is disproportionate and inconsistent. The requested secret itself (Parallel AI key) is plausible for the described deep-research capability, but the handling guidance is insecure and undocumented in the manifest.
Persistence & Privilege
The skill does not request always:true and doesn't claim extra platform privileges. However, SETUP.md instructs persistent changes (symlinks into user PATH, appending exports to ~/.bashrc, creating ~/.secrets, and scheduling cron jobs). Those are normal for CLI tooling but are materially persistent and should be performed only after verifying the scripts being linked and installed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install research-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/research-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Auto-publish from CI
元数据
常见问题
Research 是什么?
Conduct open-ended research on a topic, building a living markdown document. Supports interactive and deep research modes. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1151 次。
如何安装 Research?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install research-agent」即可一键安装,无需额外配置。
Research 是免费的吗?
是的,Research 完全免费(开源免费),可自由下载、安装和使用。
Research 支持哪些平台?
Research 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Research?
由 BrennerSpear(@brennerspear)开发并维护,当前版本 v1.0.0。
推荐 Skills