Search Web - CN
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can consume or authorize use of the user's Volcengine account through the configured API key.
The skill uses a local Volcengine API credential as a bearer token for its provider request. This is purpose-aligned for a search API integration, but the key may authorize account usage or billing.
api_key = os.getenv("VOLCENGINE_SEARCH_API_KEY") or os.getenv("VOLCENGINE_ARK_API_KEY")Use a dedicated, least-privileged API key if possible, avoid sharing the environment with unintended credentials, and monitor provider usage or billing.
Search questions, including any sensitive text placed in the prompt, may be processed by the external provider.
The script sends the user's question to an external hosted agent/search API and prints the returned answer and references.
API_URL = "https://open.feedcoopapi.com/agent_api/agent/chat/completion" ... "content": question
Do not submit secrets, private code, credentials, or confidential business data unless the provider and account policy allow it.
Install-time metadata may understate the setup and credential requirements, so users may only notice them after reading the files.
The registry metadata does not declare the environment variables or credential requirement that the SKILL.md, README, and script use. This is a disclosure gap rather than hidden behavior because the files themselves document the credentials.
Required env vars: none; Env var declarations: none; Primary credential: none
The publisher should declare VOLCENGINE_SEARCH_API_KEY, VOLCENGINE_SEARCH_BOT_ID, and the optional VOLCENGINE_ARK_API_KEY in metadata; users should verify these requirements before running the script.