← 返回 Skills 市场
457
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install zhsearch
功能描述
Chinese search enhancement: search Baidu, Zhihu, and WeChat articles. Returns AI-optimized structured results in Chinese. Paid skill (0.001 USDT/call via Ski...
安全使用建议
This skill appears to implement the claimed searches, but I recommend caution before installing or enabling it broadly:
- Do not assume SKILL.md's 'no local files' claim is accurate: the skill reads identity files and will send an identifier (deviceId or hostname+username) to the billing endpoint.
- The code contains a hardcoded billing API key (lib/billing.mjs). That is a secret embedded in distributed code — it could be abused by the publisher or an attacker who modifies the skill. Ask the publisher why the key is embedded and request a safer billing design (server-side charging or per-install keys).
- The baidu module falls back to an undocumented third-party free API (v.api.aa1.cn). Ask the publisher to disclose all external endpoints and justify them.
- For testing, run the tool locally with the --no-billing flag and monitor network connections (or sandbox it) before giving it network access in production or allowing autonomous invocation.
- If you must use it: avoid installing on devices with sensitive local data or identity you don't want sent to an external billing service. Prefer installing only after the publisher removes the embedded API key or provides clear billing documentation and an opt-in consent flow.
If you want, I can produce a short message you can send to the publisher asking for: (1) removal of the hardcoded API key, (2) disclosure/justification of v.api.aa1.cn usage, and (3) correction of the SKILL.md claims about local file access.
功能分析
Type: OpenClaw Skill
Name: zhsearch
Version: 1.0.0
The skill implements a mandatory pay-per-use billing mechanism (0.001 USDT/call) that collects and exfiltrates system identifiers to a third-party service (skillpay.me). Specifically, search.mjs and lib/billing.mjs resolve a 'callerId' by reading local identity files (~/.openclaw/identity/device.json) or falling back to collecting the system hostname and username (os.hostname, os.userInfo), which are then sent to the billing API. While this behavior is documented in SKILL.md, the collection of host-level identity data for a search utility is a privacy risk and represents a high-privilege tracking behavior.
能力评估
Purpose & Capability
Name/description and code generally align (search Baidu, Zhihu, WeChat). However the code embeds a SkillPay API key and uses a third-party 'v.api.aa1.cn' free API as an alternate Baidu source (not declared in SKILL.md). The billing integration and embedded secret are not strictly necessary to perform scraping/searching and increase risk.
Instruction Scope
SKILL.md states 'Local files: None read or written' but search.mjs reads local files to resolve a caller ID (~/.openclaw/identity/device.json and possible OPENCLAW_STATE_DIR path). The code sends caller identity (or hostname/username) to the billing endpoint. The SKILL.md lists Baidu/Sogou/Zhihu/SkillPay but omits the alternate free API endpoint (v.api.aa1.cn) used by lib/baidu.mjs.
Install Mechanism
No install spec is provided (instruction-only install), code is pure Node with dependencies declared in package.json/package-lock.json (cheerio, commander). There are no downloads or opaque installers in the spec.
Credentials
The package requires only 'node', but the code reads environment variables OPENCLAW_CALLER_ID, OPENCLAW_AGENT_ID, and OPENCLAW_STATE_DIR (not declared in SKILL.md). More seriously, lib/billing.mjs contains a hardcoded API key (sk_...) and skill ID — a secret embedded in distributed code can be abused or exfiltrated and is disproportionate to a client-side search utility.
Persistence & Privilege
always:false and the skill does not request system-wide config changes. It does attempt to identify the caller (reading identity files or using hostname/username) to bill via SkillPay, which increases its privacy footprint but is not an elevated platform privilege like always:true.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zhsearch - 安装完成后,直接呼叫该 Skill 的名称或使用
/zhsearch触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Baidu, Zhihu, WeChat article search with SkillPay billing
元数据
常见问题
Chinese Search Enhancement 是什么?
Chinese search enhancement: search Baidu, Zhihu, and WeChat articles. Returns AI-optimized structured results in Chinese. Paid skill (0.001 USDT/call via Ski... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 457 次。
如何安装 Chinese Search Enhancement?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zhsearch」即可一键安装,无需额外配置。
Chinese Search Enhancement 是免费的吗?
是的,Chinese Search Enhancement 完全免费(开源免费),可自由下载、安装和使用。
Chinese Search Enhancement 支持哪些平台?
Chinese Search Enhancement 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Chinese Search Enhancement?
由 jinp0830(@jinp0830)开发并维护,当前版本 v1.0.0。
推荐 Skills