Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Search Pro

v2.1.4

Agent-first web search and retrieval for live web search, news search, docs lookup, code lookup, company research, site crawl, site map, and structured evide...

⭐ 9· 6k·72 current·75 all-time

by@zjianru

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (live web/news/docs/code search, crawl, extract, research) match the code and declared requirements: Node runtime, optional provider API keys, and a config.json. The engines implemented (ddg, fetch, Exa, Tavily, Serper, SerpAPI, Querit, SearxNG, Perplexity, Brave, You.com, etc.) are consistent with the stated federated-search purpose.

✓

Instruction Scope

SKILL.md and scripts direct the agent to run the included Node scripts, read config.json and optional provider env vars, and perform network fetches and crawls. The files show explicit safeguards (safe-fetch boundary: only http/https, block localhost/private/metadata targets, JS execution disabled for crawls) and use provider-specific APIs only when corresponding env keys are present. The instructions do not request unrelated system data or unrelated credentials.

ℹ

Install Mechanism

The package is a code-backed Node bundle with no curl-to-shell bootstrap and no external archive downloads in the baseline path. The registry install spec indicates a bundled Node runtime (install.kind: node) and lists 'creates binaries: node' — this is likely a packaging descriptor to ensure Node is available, but you should verify how the registry/installer provides Node (it should not overwrite a system node binary or require elevated privileges).

✓

Credentials

No required credentials are declared; many optional provider keys are listed (TAVILY_API_KEY, EXA_API_KEY, QUERIT_API_KEY, SERPER_API_KEY, BRAVE_API_KEY, SERPAPI_API_KEY, YOU_API_KEY, PERPLEXITY_API_KEY, OPENROUTER_API_KEY, KILOCODE_API_KEY, PERPLEXITY_GATEWAY_API_KEY, PERPLEXITY_BASE_URL, SEARXNG_INSTANCE_URL). These map directly to the implemented provider engines and are proportional to the skill's feature set. The skill also uses a local config.json and a cache directory (.cache/web-search-pro) as declared.

✓

Persistence & Privilege

The skill is not forced-always (always:false) and uses normal autonomous invocation (disable-model-invocation:false). It stores local state under .cache/web-search-pro and reads a local config.json — reasonable for a search/runtime package. There is no evidence it modifies other skills or system-wide agent settings.

Assessment

This package appears to be what it says: a Node-based federated search and crawl runtime. Before installing, consider: 1) Only provide optional API keys for providers you trust — supplying a key lets that third-party service receive your search queries and extracted page content. 2) Confirm how the registry supplies the Node runtime (the install metadata mentions creating a 'node' binary); ensure installation won't overwrite your system node or require elevated privileges. 3) Review or run doctor.mjs/bootstrap.mjs in a sandbox first to inspect configured providers and baseline health. 4) Check config.json and the .cache/web-search-pro directory location if you want to control where state and cached copies of fetched content are stored. If you need higher assurance, review the assertSafeRemoteUrl and web-fetch implementations (they claim to block localhost/private/metadata targets and disable JS execution) or run the skill in an isolated environment.

✗

scripts/crawl.mjs:118