Openclaw Multi Search Engine
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only search helper with no code or credentials, but users should notice that searches are sent to external providers and that some documentation includes dual-use advanced search examples.
This skill appears safe as an instruction-only search helper, but install it with the understanding that your search terms go to external search engines. Avoid putting secrets or confidential information in queries, use advanced search operators only for authorized purposes, and verify the inconsistent metadata before relying on the package identity.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything typed into a search query, including sensitive names, secrets, or private business context, could be sent to the selected external search engine.
The skill is designed to place user search terms into third-party search-provider URLs, so query contents may be visible to those providers.
"Google", "url": "https://www.google.com/search?q={keyword}" ... "DuckDuckGo", "url": "https://duckduckgo.com/html/?q={keyword}"Use this skill only for queries you are comfortable sending to the chosen search provider; avoid including passwords, tokens, private documents, or confidential internal details.
If used carelessly or autonomously, these search patterns could lead the agent toward inappropriate searches for exposed credentials or administrative pages.
The reference documentation includes advanced search examples that could be used for sensitive or dual-use discovery, such as locating login pages or exposed password text.
`inurl:login admin` ... `intext:password filetype:txt`
Treat the advanced operator examples as reference material only; use them for legitimate, authorized searches and avoid credential-discovery or unauthorized reconnaissance queries.
The mismatch does not show malicious behavior, but it makes the package provenance and version history less clear.
This included metadata file names a different skill slug and version than the multi-search-engine artifacts, suggesting stale or inconsistent packaging metadata.
"slug": "tavily-search", "version": "1.0.0"
Before installing, verify that the registry listing, SKILL.md, and metadata files refer to the same intended skill and publisher.
A user might assume sensitive searches are fully private when query data is still being sent to external services.
The skill presents broad privacy claims about search engines, which may cause users to overestimate privacy protections for submitted queries.
## Privacy Engines - **DuckDuckGo**: No tracking - **Startpage**: Google results + privacy - **Qwant**: EU GDPR compliant
Do not rely solely on the skill's privacy descriptions; review each provider's privacy policy and avoid sensitive searches when privacy matters.