Is gpyangyoujun/multi-search-engine safe?

https://github.com/openclaw/skills/tree/main/skills/gpyangyoujun/multi-search-engine

91
SAFE

The gpyangyoujun/multi-search-engine skill is a pure-markdown, no-code search engine aggregator that provides URL templates for 17 web search engines. No prompt injection, executable code, data exfiltration mechanisms, malicious network connections, or canary file compromise were detected. The only noteworthy items are that reference documentation includes dual-use search operator examples (intext:password filetype:txt) and that the skill routes agent queries to Chinese domestic search services, both of which are inherent to a search aggregator's purpose rather than indicators of malice.

Category Scores

Prompt Injection 86/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW Reference docs include credential-hunting search operator examples -8

The file references/international-search.md documents the Google intext: operator with the example 'intext:password filetype:txt'. This is standard operator documentation, not an agent instruction, but if an agent reads these reference files as guidance it could apply these patterns to look for credentials on the filesystem or web.

LOW Skill enables unrestricted web_fetch to 17 external search engines -10

The skill instructs an agent to make web_fetch calls to a broad set of engines including some Chinese domestic search services (Baidu, Sogou, Toutiao, Jisilu). This is the skill's stated purpose, but it increases the agent's outbound network footprint and exposes query terms to those services. No malicious redirection or data encoding detected.

INFO Credential file accesses are audit framework activity, not skill behavior 0

Filesystem monitoring captured OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Cross-referencing with auditd timestamps and the canary integrity report confirms these are the oathe audit system's own canary lifecycle operations (pre-install baseline at 1771921857, post-install verification at 1771921875), not initiated by any skill code. All accesses are read-only (CLOSE_NOWRITE).

INFO No executable code present — skill is static markdown only 0

Complete filesystem diff confirms only markdown and JSON metadata files were installed. No package.json, no npm scripts, no shell scripts, no git hooks, no submodules, no symlinks.

INFO Installation performed clean sparse checkout from expected source 0

The git clone targeted github.com/openclaw/skills.git over HTTPS (140.82.121.4:443), sparse-checked out only the target skill path, copied files, and cleaned up /tmp/monorepo-clone. This matches expected installation behavior with no side effects.