← 返回 Skills 市场

Search Cluster

Name: Search Cluster
Author: 1999azzar

作者 azzar budiyanto · GitHub ↗ · v3.5.1

cross-platform ⚠ suspicious

1356

总下载

当前安装

版本数

在 OpenClaw 中安装

/install search-cluster

功能描述

Aggregated search aggregator using Google CSE, GNews RSS, Wikipedia, Reddit, and Scrapling.

安全使用建议

This skill appears to do what it claims: aggregate searches across Google CSE, Wikipedia, Reddit, Google News RSS, and a scrapling-based DuckDuckGo scraper. Before installing, consider the following: (1) Run the scrapling provider in a dedicated, isolated virtual environment as instructed and set SCRAPLING_PYTHON_PATH to that venv's python to avoid executing unreviewed code with your system python. (2) The SKILL.md references a scripts/ path while the files are at the repository root — verify the file paths when invoking the tool. (3) The scrapling package executes scraping logic (stealth_fetch.py runs as a subprocess); review that package's source or use network isolation if you don't trust it. (4) Google API keys (if used) and any Redis host you configure should be scoped and protected; REDIS_HOST is optional and only used for caching. (5) If you need higher assurance, inspect the referenced GitHub homepage (skill.json points to a repo) and/or run the code in a sandbox before granting access to any credentials or production networks.

功能分析

Type: OpenClaw Skill Name: search-cluster Version: 3.5.1 The skill is classified as suspicious due to a potential Remote Code Execution (RCE) vulnerability in `search-cluster.py`. The `subprocess.run` call for the `scrapling_search` function uses the `SCRAPLING_PYTHON_PATH` environment variable as the executable path. If an attacker can control this environment variable, they could point it to an arbitrary executable, leading to RCE. While the skill's stated purpose is benign and it includes a prompt injection sanitizer (`internal_sanitize`), this configurable executable path represents a significant security risk, even without clear evidence of intentional malicious exploitation within the skill's own code.

能力评估

✓ Purpose & Capability

Name/description match the implemented behavior: the code queries Google CSE (optional), Wikipedia, Reddit, GNews RSS, and a local scrapling-based scraper. Optional env vars (GOOGLE_*, SCRAPLING_PYTHON_PATH, REDIS_*, SEARCH_USER_AGENT) are appropriate for these providers. Minor inconsistency: registry metadata listed no homepage while skill.json contains a GitHub homepage; SKILL.md refers to scripts/ subpaths (scripts/search-cluster.py, scripts/stealth_fetch.py) but the actual files live at the repository root (search-cluster.py, stealth_fetch.py). This appears to be sloppy documentation rather than functional mismatch.

✓ Instruction Scope

SKILL.md instructs creating a dedicated venv for scrapling and setting SCRAPLING_PYTHON_PATH; the runtime instructions and code keep network activity limited to provider endpoints (Google APIs, Wikipedia, Reddit, Google News RSS, DuckDuckGo via scrapling). The code uses subprocess.run to execute stealth_fetch.py with the query as an argument (explicit, not reading arbitrary files). There are no instructions to read unrelated system files or exfiltrate environment variables.

✓ Install Mechanism

There is no install spec (instruction-only for the platform), which is low risk. SKILL.md requires creating a venv and pip-installing 'scrapling' there; skill.json lists python dependencies ('redis', 'scrapling') and binary 'python3' — this is consistent with the code (redis is optional and only imported when REDIS_HOST is set). No remote arbitrary downloads or extract steps are present.

✓ Credentials

All requested/declared environment variables are proportional and directly tied to functionality: optional Google API credentials for CSE, SCRAPLING_PYTHON_PATH for the scraper venv, REDIS_HOST/PORT for caching, and SEARCH_USER_AGENT for HTTP requests. No unrelated secrets or broad credential requests are present.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and asks for no system-wide configuration or persistent privileges. It executes a local helper script via subprocess but that helper is packaged with the skill; this is expected behavior for the scrapling provider and is limited to the skill's scope.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install search-cluster
安装完成后，直接呼叫该 Skill 的名称或使用 /search-cluster 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.5.1

V3.5.1: Final flattened structure. All scripts in root to guarantee ClawHub inclusion. Fixed all reported bugs.

v3.4.0

V3.4.0: Fixed Redis recursion bug. Guaranteed inclusion of stealth_fetch.py. 100% manifest sync.

v3.3.0

V3.3.0: FIXED infinite recursion in redis_get. Included missing stealth_fetch.py. Fully synced manifest (Redis, User-Agent).

v3.2.0

V3.2.0: FIXED infinite recursion in redis_get. Included missing stealth_fetch.py. Updated manifest with all environment variables.

v3.1.0

V3.1.0: Full script inclusion, synced manifest (Redis, User-Agent), and clearer provider status.

v3.0.0

V3.0.0: Restoration of Wikipedia and Reddit. Full documentation restored. Industry-standard security and path-neutrality.

v2.9.0

V2.9.0: Restored Wikipedia and Reddit. Hardened security with built-in IPI scrubbing and path-neutrality.

v2.8.1

Final security hardening: fixed metadata manifest, removed cross-skill path coupling, and added built-in IPI protection.

v2.8.0

**Summary:** Adds integrated internal sanitization and optional Redis caching. - Replaces guardian-wall sanitization with a native internal scrubber (Path Neutral). - Adds support for optional Redis-based result caching (set REDIS_HOST). - Updates documentation to reflect new sanitization and caching features.

v2.7.0

- Removed obsolete reference file: references/search-apis.md. - Updated scripts/search-cluster.py (details not provided). - No user-facing documentation changes in SKILL.md for this version.

v2.6.0

**Summary: Improved provider setup, security details, and documentation.** - Updated documentation to clarify installation steps for the scrapling provider. - Enhanced security posture section: clarified subprocess isolation and automatic sanitization. - Added explicit environment variable instructions, including GUARDIAN_WALL_PATH. - Improved and clarified provider descriptions. - Output format and workflow steps highlighted for user guidance.

v2.4.0

- Updated scripts/search-cluster.py with internal improvements. - No visible user-facing changes or updates to documentation.

v2.3.0

- Updated scripts/search-cluster.py. - No user-facing changes documented in SKILL.md.

v2.2.0

**Search Cluster v2.2.0 — Security and Integrity Improvements** - Removed dynamic Python code execution; now uses secure subprocess argument passing. - Enforced strict SSL/TLS verification for all external network calls. - Eliminated reliance on hard-coded workspace paths for better portability. - Updated SKILL.md: clarified provider list, streamlined requirements, and modernized documentation. - Added `stealth_fetch.py` script for enhanced stealth scraping capabilities.

v2.1.0

**Security and configuration improvements in version 2.1.0:** - Added code-injection protection by sanitizing and escaping queries before execution. - Enforced SSL verification for all API requests to enhance transport security. - Updated documentation to clarify required and optional environment variables for configuration. - Ensured all search results are formatted as JSON objects with clear source, title, link, and snippet fields. - Strengthened workflow instructions for sanitizing outputs with the guardian-wall skill.

v2.0.0

Version 2.0.0 brings a major overhaul focused on stealth scraping and real-time aggregation across multiple web sources. - Introduced "Scrapling" stealth scraping and Google News (GNews) RSS as primary search mechanisms for enhanced coverage and evasion of anti-bot systems. - Updated source lineup: now supports Scrapling, GNews, Google CSE, Wikipedia, and Reddit, each optimized for specific information types. - Requires a new Python virtual environment and dependencies tailored for stealth operations. - All search results are now recommended to be passed through the `guardian-wall` skill for secure content sanitization. - Documentation overhauled to reflect new workflow, source priorities, and technical requirements.

v1.1.2

Addressed audit findings: removed unverified SSL fallback, declared all required environment variables in metadata, and standardized documentation.

v1.1.1

Fix SSL verification issue on minimal environments

v1.1.0

Add NewsAPI support for latest news search

v1.0.2

search-cluster 1.0.2 - Minor changes made to scripts/search-cluster.py. - No updates to documentation or usage in SKILL.md.

元数据

Slug search-cluster

版本 3.5.1

许可证 —

累计安装 7

当前安装数 7

历史版本数 22

常见问题

Search Cluster 是什么？

Aggregated search aggregator using Google CSE, GNews RSS, Wikipedia, Reddit, and Scrapling. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1356 次。

如何安装 Search Cluster？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install search-cluster」即可一键安装，无需额外配置。

Search Cluster 是免费的吗？

是的，Search Cluster 完全免费（开源免费），可自由下载、安装和使用。

Search Cluster 支持哪些平台？

Search Cluster 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Search Cluster？

由 azzar budiyanto（@1999azzar）开发并维护，当前版本 v3.5.1。