Openclaw Research Tool
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool can consume the user's OpenRouter account quota or incur costs when research queries are run.
The skill requires an OpenRouter API key, which is expected for its purpose but gives the tool delegated access to make provider API calls.
Requires `OPENROUTER_API_KEY` env var. Get a key at https://openrouter.ai/keys
Use an OpenRouter key with appropriate spending limits, and rotate or revoke it if you stop using the skill.
Installing the skill depends on trusting the external Rust package that implements the research-tool binary.
The skill directs users to install an external CLI package. This is central to the skill, but the provided artifact set does not include the package code or a pinned install version.
cargo install openclaw-search-tool
Install only from the expected package/source, review the linked project if needed, and consider pinning a known-good version.
Research jobs may keep running for many minutes and may continue consuming provider resources if not monitored.
The workflow encourages long-running sub-agent or exec usage without a timeout. This is explained as necessary for research latency, but it weakens normal runtime bounds.
Recommended: Run research-tool in a sub-agent ... Never set a timeout on exec when running research-tool.
Monitor spawned research sessions, use provider spending limits, and apply a timeout when you need a hard runtime or cost boundary.
Sensitive information included in research prompts could be sent to OpenRouter or underlying model providers.
Queries and any context included in them are sent to an external model/provider flow. This is disclosed and purpose-aligned, but users should treat it as third-party data sharing.
Web search for OpenClaw agents, powered by OpenRouter ... Provide maximum context. The model starts from zero.
Avoid including secrets, private documents, credentials, or unnecessary personal data in research queries.