by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to document a JD-internal CLI for searching private JD services, but the published bundle is inconsistent: package.json suggests a Node CLI, README mentions Python and an executable at a local developer path, yet the actual executable file is missing. Before installing or running anything: 1) Don’t run unreviewed binaries — request the jd-search script/source code and inspect it. 2) Confirm the skill’s origin and whether you’re on JD’s internal network (the endpoints are inter...详细分析 ▾
ℹ 用途与能力
The skill claims to be a CLI wrapper for JD Gongcai search APIs and the SKILL.md documents exactly those internal endpoints (http://vproxy-search.jd.local/, http://gcy.p-search.jd.local/). That capability is coherent with the name/description. However, the package metadata and README disagree about implementation (package.json declares a Node CLI, README mentions a Python dependency and a ./jd-search script), and the file manifest does not include an actual jd-search executable. These mismatches mean the published bundle does not contain the runtime it advertises.
ℹ 指令范围
SKILL.md limits runtime behavior to forming HTTP GET requests against JD internal endpoints and formatting results. It does not instruct the agent to read unrelated files or credentials. Caveat: the endpoints are internal-only hostnames — calling them from a machine that has network access could expose internal data or fail outside JD's network. The instructions do not attempt data exfiltration to third-party hosts.
ℹ 安装机制
No install spec is present (instruction-only), which is low risk. But README shows installation steps that reference an executable path (/Users/zhangrongfa/.joyclaw/...) and symlinking a jd-search binary; that script is not present in the published files. This suggests incomplete packaging or missing artifacts rather than a standard, installable release.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths — appropriate for a simple HTTP search wrapper. No undeclared env access is instructed in SKILL.md. Note: README contains a user-specific absolute path which is irrelevant but indicates this copy may have been packaged from a developer workspace.
✓ 持久化与权限
always:false and no special privileges are requested. The skill does not request persistent system-wide changes in its manifest. Autonomous invocation is allowed (platform default) but not accompanied by other red flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/31
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install jd-search
镜像加速npx clawhub@latest install jd-search --registry https://cn.longxiaskill.com