Is bartoszpijet/zai-search safe?

https://github.com/openclaw/skills/tree/main/skills/bartoszpijet/zai-search

85
SAFE

This appears to be a legitimate web search skill that uses the Z.AI Web Search API. The main security concern is the presence of executable JavaScript files whose source code could not be fully verified during the audit.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Executable JavaScript files present -30

The skill contains two executable Node.js scripts (search.mjs and extract.mjs) that are invoked by the skill documentation. While the functionality appears legitimate for web search operations, the actual source code of these scripts was not fully provided in the audit evidence, preventing complete verification of their safety.

LOW Extract script uses native fetch -10

The extract functionality uses native Node.js fetch to retrieve and parse web pages, which could potentially be misused to access internal URLs or services if an attacker could control the input URL.