Is fenge8400/fenge-smart-search safe?

https://github.com/openclaw/skills/tree/main/skills/fenge8400/fenge-smart-search

91
SAFE

fenge-smart-search is a straightforward dual-engine web search skill that routes Chinese queries to Bing and English queries to DuckDuckGo. The SKILL.md contains no prompt injection, the Python code performs no local file access or dangerous system calls, and canary file integrity was confirmed intact — the observed canary file open events in monitoring logs are attributable to the oathe monitoring infrastructure's baseline checks rather than the skill. The primary concerns are a self-promotional quality bias (docs.openclaw.ai rated equal to GitHub and Wikipedia in result scoring) and the inherent privacy implication of transmitting user queries to Microsoft Bing and DuckDuckGo.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

LOW Self-promotional domain boosted to top quality tier in result ranking -8

The HIGH_QUALITY dictionary in skill.py assigns docs.openclaw.ai a score of 3.0 (labeled '⭐⭐⭐【官方】' / Official), identical to github.com, wikipedia.org, and stackoverflow.com. This systematically elevates the skill author's own documentation platform above neutral third-party sources in all search result rankings, creating a persistent conflict-of-interest bias in every search the agent performs.

LOW User search queries transmitted to third-party services -5

Every search query processed by this skill is sent as a plaintext HTTP GET parameter to cn.bing.com (for Chinese-language queries) or html.duckduckgo.com (for English queries). While this is the skill's documented purpose, users should be aware their queries leave the local environment and are processed by Microsoft and DuckDuckGo respectively.

INFO Canary file open events observed in monitoring logs — attributed to monitoring infrastructure -3

Filesystem audit events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials being opened at timestamps 1771923247 (5 seconds before git clone begins at 1771923252) and 1771923264 (during post-install audit teardown). These access events are attributable to the oathe monitoring harness performing pre/post canary baseline checks via sshd/sudo, not to the skill code. The canary integrity report explicitly confirms all files remain intact.

INFO Skill requires python3 and requests as external dependencies 0

SKILL.md metadata declares bins dependency on python3 and the requests library. The requests library is a well-known, widely-audited HTTP client. No version pinning is specified, which means future updates to requests could introduce changes, though this is standard practice for skill dependencies.