AnySearch MCP
PassAudited by ClawScan on May 11, 2026.
Overview
AnySearch MCP is a coherent web-search integration, but it sends searches, URLs, and optional API keys to AnySearch and may use third-party proxy packages if configured.
This skill appears purpose-aligned for web search and URL extraction. Before installing, decide whether you trust AnySearch with your queries and any API key, avoid sending confidential information, and prefer direct HTTP configuration or pinned proxy packages when possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent or MCP client can use the AnySearch API key and quota; a persisted key may remain available to future sessions.
The skill can use and persist a provider API key. This is expected for the service and asks for confirmation, but it is still delegated account access.
| Has key | Sent via `Authorization: Bearer <key>` header, higher rate limits | ... | Key exhausted, auto-registered key returned | Agent should ask user for confirmation, then persist the new key |
Store the key in an environment variable or secret store, confirm before persisting any replacement key, and rotate or revoke the key if it is exposed.
Sensitive searches, private URLs, or API keys may be visible to the provider or handled under its policies.
The README clearly discloses that user queries, URLs, and optional credentials are sent to the remote AnySearch MCP provider.
- Search queries, extracted URLs, and API keys are sent to `https://api.anysearch.com`
Use the skill only if you trust the provider, avoid secrets or confidential business data in searches, and review provider privacy/security terms.
A compromised or changed proxy package could affect the MCP connection or expose data passed through it.
The documented stdio/SSE proxy setup can execute npm packages via `npx -y` without pinning a version. This is disclosed and purpose-aligned, but it depends on third-party package integrity.
"command": "npx", "args": ["-y", "mcp-remote", "https://api.anysearch.com/mcp", "--header", "Authorization: Bearer ${ANYSEARCH_API_KEY}"]Prefer direct Streamable HTTP when supported, or pin and verify proxy package versions before using npx-based configurations.
A background proxy may keep accepting MCP traffic while it is running and may be forgotten after setup.
The skill may rely on a local proxy process that remains active beyond a single request. This is disclosed and user-directed, not hidden persistence.
> The SSE proxy must remain running while the agent is active. Consider running it as a background service.
Run the proxy only when needed, ensure it is bound to localhost, and stop or disable any background service when you no longer use the skill.