by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to be a simple wrapper around the duckse CLI and is otherwise coherent, but the SKILL.md recommends installing by piping a remote script into bash (curl | bash). Running such scripts executes code from a remote source and can be dangerous. Before installing or invoking the installer: (1) inspect the install.sh contents directly in your browser or git clone the repository and read the script; (2) prefer installing from a distribution package or a vetted release if available; (3...详细分析 ▾
✓ 用途与能力
Name/description match the instructions: SKILL.md documents using the duckse (DDGS-based) CLI to perform web, news, image, and video searches. The skill declares no credentials or special privileges and the listed command options are consistent with a search CLI.
ℹ 指令范围
Instructions are narrowly scoped to running duckse commands and troubleshooting PATH. They do not request reading unrelated files or environment secrets. However, the SKILL.md includes an explicit installer command (curl https://raw.githubusercontent.com/.../install.sh | bash) and a development fallback invoking local code (uv run python main.py), which broaden the operational surface the agent might execute.
⚠ 安装机制
There is no formal install spec in the registry, but the SKILL.md tells the agent/user to run a remote install script piped to bash from raw.githubusercontent.com. Download-and-execute of a remote script is a higher-risk install pattern (arbitrary code execution). While GitHub raw URLs are a common host, executing an external script without verification is risky and disproportionate to a simple search helper.
✓ 凭证需求
The skill requests no environment variables, no credentials, and no config paths. Troubleshooting mentions adjusting PATH and optional proxy/timeout flags in duckse, which are proportional to a CLI search tool.
✓ 持久化与权限
The skill does not request always:true or any permanent elevated presence. It's instruction-only and user-invocable; there is no indication it modifies other skills or system-wide agent configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/8
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install duckse
镜像加速npx clawhub@latest install duckse --registry https://cn.longxiaskill.com