You.com Web Search & Research API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent You.com API integration guide that uses an expected API key and may help edit or add project dependencies, with no evidence of hidden, destructive, or deceptive behavior.
This appears reasonable for developers who want direct You.com API integration. Before installing, confirm you trust the publisher and endpoints, keep your API key out of code and logs, review any generated code or dependency installs, and treat retrieved web content as untrusted data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may edit files or add dependencies while helping integrate the You.com APIs.
The skill can modify project files and run scoped package-manager install commands; this fits an API integration skill but can change the user's local project environment.
allowed-tools: Read Write Edit Bash(pip:install) Bash(npm:install) Bash(bun:add)
Review proposed file changes and package installs before approving them, and keep dependency additions limited to what your project actually needs.
Your You.com API key may be used by generated examples or integrations to make API calls under your account.
The skill requires a service API key to call You.com endpoints; this is expected and disclosed, with no evidence of unrelated credential use.
All APIs use the same authentication: `X-API-Key` header with the You.com API key.
Store the key in an environment variable such as YDC_API_KEY, avoid committing it to source control, and rotate or revoke it if exposed.
Search questions, research prompts, and URLs submitted through generated integrations may be sent to You.com services.
The skill is designed to send user queries or requested URLs to external You.com API endpoints; this external data flow is disclosed and central to the purpose.
Base URL: `https://api.you.com` ... Base URL: `https://ydc-index.io`
Do not submit confidential data unless that matches your organization's policy and You.com's terms for API usage.
If search results or crawled pages are treated as instructions rather than data, they could influence an agent or LLM in unintended ways.
The skill retrieves web results and page contents for downstream processing; retrieved web content is untrusted context and may contain misleading or adversarial text.
Search API — Get raw web and news results for a query. You control what happens with the results — feed them into your own LLM ... Contents API — Extract full page content (HTML, Markdown, metadata) from specific URLs.
Treat returned snippets, HTML, and Markdown as untrusted data; validate important sources and do not let retrieved content override user instructions or safety checks.