Web Search Hub
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-search-hub Version: 0.1.3 The skill bundle provides a web search tool using DuckDuckGo. The `SKILL.md` documentation clearly outlines its purpose and usage, including installation instructions for a standard Python library (`duckduckgo-search`) and a prerequisite CLI (`OpenClawCLI` from `clawhub.ai`), without any evidence of prompt injection or instructions for malicious actions. The `scripts/search.py` script implements the search functionality, performing network requests only to DuckDuckGo and offering file output for saving search results, which is a legitimate feature. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency runs third-party package code on the user's machine.
The skill requires an external CLI and an unpinned PyPI package. That is expected for this search helper, but users should trust the source and preferably install in a virtual environment.
Install [OpenClawCLI](https://clawhub.ai/) (Windows, MacOS) and run `pip install duckduckgo-search`
Use a virtual environment, install from trusted sources, and pin or review the duckduckgo-search package version where practical.
A careless invocation could create or overwrite an unintended output file or request an excessive number of results.
The skill documents user-directed local command options that can request many results and save output to a chosen file path. This is useful for search workflows but should remain deliberate.
`--max-results N # Default: 10, range: 1-unlimited` ... `--output <filepath>`
Approve intended output paths and keep result counts reasonable, especially when the agent is invoking the skill on the user's behalf.
Search snippets or pages may contain misleading text or instructions that should not automatically control the agent's behavior.
The script returns external search result content into the agent/user context. Web result titles, snippets, and URLs are untrusted content even though retrieving them is the skill's purpose.
results = list(ddgs.text(... max_results=max_results)); return json.dumps(results, indent=2, ensure_ascii=False)
Treat search results as untrusted evidence, verify important claims, and avoid following instructions found inside snippets or linked pages unless the user explicitly approves.