📦 Deep Research Pro Litiao — 深度搜索报告
v1.0.0多源深度研究智能体,先调用 Tavily API 检索网页,失败时退回到 DuckDuckGo,自动综合信息并生成带引用来源的完整报告,一键获取可靠研究结论。
0· 236·4 当前·4 累计
by @litiao1224下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's high-level description (no API keys required) conflicts with its runtime instructions (it prefers a TAVILY_API_KEY) and it tells the agent to execute external scripts in specific user paths that are not bundled with the skill, which is unexpected and worth caution.
评估建议
This skill is inconsistent and needs human review before trusting it with credentials or letting it execute on your machine. Actions to consider before installing or enabling: 1) Verify whether you actually need Tavily — if not, avoid supplying TAVILY_API_KEY. 2) Inspect the external scripts the SKILL.md references (~/.openclaw/workspace/skills/tavily-search-litiao and /home/clawdbot/clawd/skills/ddg-search) — the skill will execute code there but those files are not bundled with the skill. 3) C...详细分析 ▾
⚠ 用途与能力
The README and package.json claim 'No API keys required' while SKILL.md requires TAVILY_API_KEY (preferred). That inconsistency suggests either sloppy packaging or hidden dependency on an external API not reflected in top-level metadata. The skill also references multiple local script paths (~/.openclaw/workspace/... and /home/clawdbot/...) that are outside the skill bundle — executing them is not required by the stated purpose (a self-contained research agent) unless those scripts are present, which the package does not include.
⚠ 指令范围
SKILL.md instructs the agent to run external node scripts and a system ddg script at absolute local paths and to curl arbitrary URLs and pipe HTML into a Python snippet. Because no code files are included in the skill bundle, the runtime depends on external scripts/tools that may contain arbitrary logic. It also writes reports to ~/clawd/research/[slug] and instructs spawning sub-agents with sessions_spawn — these actions are expected for research but carrying out external scripts in other system locations expands the execution surface and is unexpected for an instruction-only skill.
ℹ 安装机制
No install spec (instruction-only), which minimizes what the skill writes to disk itself. However, the instructions expect external scripts and tools (Tavily scripts under ~/.openclaw/workspace and a ddg script under /home/clawdbot/...) that are not provided — the agent will attempt to run code located elsewhere on disk or rely on the environment, which is a risk vector.
⚠ 凭证需求
The skill declares TAVILY_API_KEY as a required env var in SKILL.md and metadata, but README/package.json say 'No API keys required'. Requesting an API key is plausible for a 'preferred' Tavily integration, but the conflicting documentation is a red flag. Asking for a single search API key is otherwise proportionate, but the expectation that the agent will also call local scripts (not declared) increases the sensitivity: you should not provide credentials without verifying the code that will use them.
ℹ 持久化与权限
always:false and normal model invocation settings. The skill instructs writing reports under the user's home directory (~/clawd/research) and spawning sub-agents; these are normal for a research agent. There is no request for persistent 'always' installation or to modify other skills, but the ability to run external local scripts and spawn sessions increases the blast radius if those external scripts are untrusted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/17
Bug fixes and improvements with -litiao suffix
● 可疑
安装命令
点击复制官方npx clawhub@latest install deep-research-pro-litiao
镜像加速npx clawhub@latest install deep-research-pro-litiao --registry https://cn.longxiaskill.com