Openclaw Research Tool
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-search-tool Version: 0.1.5 The skill is classified as suspicious due to a clear instance of prompt injection against the OpenClaw agent within `SKILL.md`. The instruction "⚠️ Never set a timeout on exec when running research-tool." directly commands the agent on how to execute the skill, demonstrating a vulnerability where markdown instructions can influence the agent's operational parameters. While the intent here appears benign (to prevent premature termination of a long-running task), it highlights an attack surface for manipulating agent behavior. Additionally, the skill performs external network calls to openrouter.ai and requires an API key, which are high-risk capabilities, though justified by its stated purpose as a web research tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool can consume the user's OpenRouter account quota or incur costs when research queries are run.
The skill requires an OpenRouter API key, which is expected for its purpose but gives the tool delegated access to make provider API calls.
Requires `OPENROUTER_API_KEY` env var. Get a key at https://openrouter.ai/keys
Use an OpenRouter key with appropriate spending limits, and rotate or revoke it if you stop using the skill.
Installing the skill depends on trusting the external Rust package that implements the research-tool binary.
The skill directs users to install an external CLI package. This is central to the skill, but the provided artifact set does not include the package code or a pinned install version.
cargo install openclaw-search-tool
Install only from the expected package/source, review the linked project if needed, and consider pinning a known-good version.
Research jobs may keep running for many minutes and may continue consuming provider resources if not monitored.
The workflow encourages long-running sub-agent or exec usage without a timeout. This is explained as necessary for research latency, but it weakens normal runtime bounds.
Recommended: Run research-tool in a sub-agent ... Never set a timeout on exec when running research-tool.
Monitor spawned research sessions, use provider spending limits, and apply a timeout when you need a hard runtime or cost boundary.
Sensitive information included in research prompts could be sent to OpenRouter or underlying model providers.
Queries and any context included in them are sent to an external model/provider flow. This is disclosed and purpose-aligned, but users should treat it as third-party data sharing.
Web search for OpenClaw agents, powered by OpenRouter ... Provide maximum context. The model starts from zero.
Avoid including secrets, private documents, credentials, or unnecessary personal data in research queries.