by 安全扫描
OpenClaw
可疑
high confidence该技能声称调用火山引擎的代理API,但代码发布到无关主机(open.feedcoopapi.com),包元数据省略了必需的环境变量——这种不匹配可能允许您的API密钥和查询发送到未知服务。
评估建议
在解决端点和来源问题之前,不要向此技能提供您的火山引擎API密钥或机器人ID。具体而言:验证目标主机(open.feedcoopapi.com)——它是经过批准的代理还是您组织的网关?询问作者脚本不调用官方volcengine.com端点的原因以及发布者联系/来源。...详细分析 ▾
⚠ 用途与能力
The README/SKILL.md describe using VolcEngine's联网问答智能体 API and require VOLCENGINE_SEARCH_API_KEY and VOLCENGINE_SEARCH_BOT_ID, but the registry metadata lists no required env vars. The script sends requests to https://open.feedcoopapi.com/..., not an official volcengine.com endpoint — this is inconsistent with the stated purpose.
⚠ 指令范围
Instructions tell the agent to run the included script which reads environment variables for API keys and bot ID and then POSTs user questions to the external API_URL. The instructions do not disclose that the endpoint is open.feedcoopapi.com (an unknown third party), so running it will transmit queries, metadata, and the API key to that host.
✓ 安装机制
No install spec (instruction-only + a small script). Nothing is written to disk by an installer; risk comes from network calls at runtime rather than package installation.
⚠ 凭证需求
The script requires secret values (VOLCENGINE_SEARCH_API_KEY or VOLCENGINE_ARK_API_KEY and VOLCENGINE_SEARCH_BOT_ID) which are reasonable for a VolcEngine integration — but the metadata omitted these required env vars and the target host is not the official service, creating a risk that credentials would be sent to an unrelated party.
✓ 持久化与权限
The skill is not always-enabled and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed by default (normal) but does not appear combined with elevated privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/24
volcengine-search-web skill initial release. - Provides a domestic web search solution for Openclaw/Trae using Volcengine API. - Supports web search, reference sources, multimedia cards, follow-up question suggestions, and advanced features like citations, mixed media, and glossary highlighting. - Requires environment variables for API key and bot ID. - Outputs answers with references, token usage, and error details if failed. - Optimized for stable access and Chinese-language queries without needing an international credit card.
● 无害
安装命令 点击复制
官方npx clawhub@latest install openclaw-skill-search-web
镜像加速npx clawhub@latest install openclaw-skill-search-web --registry https://cn.clawhub-mirror.com
技能文档
专为 Openclaw、Trae 等 AI 编程工具设计的联网搜索国内解决方案。
免责声明:本项目为个人开发代码,与火山引擎官方无关,仅供学习参考使用。
适用场景
当 Openclaw、Trae 等工具需要联网搜索信息时,可使用此技能作为国内方案替代 Brave Search。支持搜索网络、获取参考资料、富媒体卡片数据,实现追问、引用角标、图文混排、百科划线词等高级功能。
为什么选择此方案?
- 无需绑定信用卡 - 国内支付方式即可开通
- 访问稳定 - 国内服务器,响应速度快
- 中文搜索优化 - 更懂中文语境,搜索结果更精准
使用步骤
- 准备清晰具体的问题。
- 运行脚本
python scripts/volcengine_search_web.py "。运行之前cd到对应的目录。" - 脚本将返回智能体的回答内容,包括参考来源、追问建议等。
认证与凭据来源
- 读取
VOLCENGINE_SEARCH_API_KEY环境变量作为 API Key。 - 需要配置
VOLCENGINE_SEARCH_BOT_ID环境变量指定智能体ID(在控制台创建智能体后获取)。
输出格式
- 输出智能体的回答内容。
- 显示参考来源(URL、标题、发布时间等)。
- 显示追问建议(如有)。
- 显示 Token 使用情况。
- 若调用失败,将打印错误信息。
示例
python scripts/volcengine_search_web.py "openclaw的最新动态"
高级功能
该技能支持以下高级功能(需在控制台开启):
- 引用角标:在回答中插入引用标记
[ref_x]指示文本来源 - 图文/视频混排:在输出中穿插图片或视频
- 百科划线词:自动将百科词条以下划线超链接形式呈现
- 追问建议:提供相关追问建议
- 深度思考模式:通过设置
model=thinking开启
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制