WebSearchAPI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The search tool mostly matches its stated purpose, but it ships with an undisclosed SearchAPI key that would be used by default.
Before installing, replace or remove the bundled API key, confirm you are using your own SearchAPI credential, and be aware that any agent-issued search query will be sent to SearchAPI. The tool appears purpose-aligned, but the shipped credential and file-name inconsistencies deserve review.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may run under an embedded SearchAPI account/key, potentially exposing or consuming that account and making users unclear about which credential is being used.
A credential-like SearchAPI key is bundled in the shipped config even though the registry declares no primary credential and the SKILL.md tells users to configure their own key.
"apiKey":"rEux5Wb3...CpNdHGf"
Remove the bundled key, ship a blank example config, declare the SearchAPI credential requirement, and require users to provide their own key through a clearly documented secure setup path.
Search queries, including any sensitive text the agent searches for, leave the local environment and are sent to SearchAPI.
The tool sends search terms and the configured API key to the SearchAPI provider; this is expected for the stated purpose but is still an external data flow users should understand.
const API_BASE = 'https://www.searchapi.io/api/v1/search'; ... q: query, ... api_key: config.apiKey
Clearly disclose the third-party data flow and avoid sending sensitive private content as search queries unless the user approves.
Some documented commands or package entrypoints may fail or encourage users to look for/run a different file than the one reviewed.
The package entrypoints reference websearch.js, while the provided manifest contains websearchapi.js instead; this suggests a packaging mismatch, not proven malicious behavior.
"main": "websearch.js", "bin": { "websearch": "./websearch.js" }Align package.json, README, and SKILL.md with the actual executable file name, and include only reviewed files in the distributed skill.