← 返回 Skills 市场
193
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install yula-web-search
功能描述
Yula's custom web search - NO API KEY required. Uses multiple fallback search methods with public services that allow anonymous access. Works by direct curl...
安全使用建议
This skill does what it says—scrape search engines and fetch the top result pages—but it has no safeguards. Before installing, consider the following: (1) It will make HTTP requests from your environment to arbitrary URLs returned by search results; this can reach internal services (localhost, private IP ranges, cloud metadata endpoints like 169.254.169.254) and inadvertently leak sensitive data. (2) The skill scrapes search engines directly, which may violate the search provider's terms or be blocked. (3) There is no allowlist/denylist, no robots.txt handling, no user confirmation step, and no rate limiting. Recommended mitigations: install only if you trust the skill source; require the author to add explicit safety checks (block private IP ranges and cloud metadata addresses, enforce domain allowlist, limit number and size of fetched pages, ask for user confirmation before fetching pages, and respect robots.txt/ToS); or run the skill in an isolated network sandbox or through a vetted proxy/browsing service. If you cannot obtain those assurances, do not enable autonomous invocation for this skill and prefer solutions that use official search APIs or a trusted remote browsing proxy.
功能分析
Type: OpenClaw Skill
Name: yula-web-search
Version: 1.0.1
The skill implements a web search and content extraction tool by scraping Bing and Google via shell commands. It is classified as suspicious due to a significant shell injection vulnerability in SKILL.md, where the $QUERY variable is directly embedded into a python3 -c command string without adequate escaping, potentially allowing arbitrary command execution if the query contains single quotes or shell metacharacters. While the behavior aligns with the stated purpose and no intentional data exfiltration was found, the reliance on 'curl | python3' execution patterns and lack of input sanitization pose a high security risk.
能力评估
Purpose & Capability
Required binaries (curl, python3) and the stated behavior (HTML scraping, text extraction, summarization) are coherent with a web-scraping/search skill. However, the skill relies on scraping search engines (cn.bing.com, google.com) and then fetching arbitrary result pages — a more powerful capability than a simple query-only search and one that can have legal/ToS implications.
Instruction Scope
SKILL.md explicitly instructs the agent to (a) curl search engine HTML, (b) parse and extract result URLs, and (c) curl and extract full content from the top 2–3 result URLs with no domain allowlist, denylist, or checks. This permits requests to arbitrary hosts (including localhost, private IPs, and cloud metadata endpoints) and exfiltration of any fetched content. There are no safeguards (no robots.txt handling, no private-IP blocking, no user consent step, no rate limiting), and scraping search engines directly may be blocked or violate terms of service.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer, which reduces persistence concerns.
Credentials
The skill requests no credentials or config paths (proportionate). But despite lacking declared secrets, its runtime behavior uses the local environment's network to fetch arbitrary external/internal URLs, which is a capability that can access sensitive network resources even without env-var access.
Persistence & Privilege
always:false (not force-included). disable-model-invocation is false (agent may autonomously invoke the skill when triggered), which is platform-default. Autonomous invocation combined with unrestricted fetching increases blast radius — consider requiring explicit user confirmation before performing network fetches or disabling autonomous invocation for this skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yula-web-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/yula-web-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
1.0.1: Add correct metadata, improve README
v1.0.0
No API key required web search for OpenClaw. Uses local
Bing search via curl, automatically extracts content from top results and
summarizes. Perfectly optimized for Chinese language queries.
元数据
常见问题
yula-web-search 是什么?
Yula's custom web search - NO API KEY required. Uses multiple fallback search methods with public services that allow anonymous access. Works by direct curl... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 193 次。
如何安装 yula-web-search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yula-web-search」即可一键安装,无需额外配置。
yula-web-search 是免费的吗?
是的,yula-web-search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
yula-web-search 支持哪些平台?
yula-web-search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 yula-web-search?
由 yula(@wjzhb)开发并维护,当前版本 v1.0.1。
推荐 Skills