Web Search Rules
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: web-search-rules-en Version: 3.0.0 The skill bundle provides a framework for managing web search results across local (Obsidian) and cloud platforms (Feishu, DingTalk, NotebookLM, IMA). It includes high-risk capabilities such as browser automation, cloud data uploads, and file deletion/migration. While the documentation (SKILL.md, SECURITY.md) contains extensive safety instructions, path validation logic, and mandatory multi-step confirmation requirements to prevent abuse, the inherent presence of these powerful capabilities—specifically browser automation and multi-platform cloud integration—meets the threshold for a suspicious classification under the provided guidelines.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms the wrong target or batch, the agent could change, upload, delete, or migrate knowledge-base content.
These are high-impact actions, but they are directly tied to the skill's purpose and are disclosed as requiring confirmation.
This skill can guide an agent to read and write knowledge-base content, automate browsers, upload selected content to cloud platforms, and perform deletion or migration operations after confirmation.
Review target platforms, item counts, and dry-run reports before confirming writes, uploads, deletions, or migrations.
Overbroad credentials or connectors could expose more account data than needed for the current task.
Some platform adapters may use OAuth or account-level connectors, which can grant access to cloud documents or drives.
"auth": "oauth" ... Use minimal OAuth scopes for Drive import, such as `drive.file`, when the host implementation supports OAuth.
Use the narrowest available scopes, prefer host credential managers, and never paste passwords, cookies, refresh tokens, or API keys into the skill config.
Confirmed uploads may move webpage content, summaries, or research notes from local storage into cloud workspaces.
The skill can send selected research content to external provider platforms, although it requires upload disclosures and confirmations.
Cloud platforms include IMA, Tencent Docs, Feishu Wiki, DingTalk Docs, NotebookLM, Google Drive, and any custom platform with network upload.
Use local staging or Obsidian for sensitive research, and confirm the exact cloud platform, workspace, item count, and content type before upload.
A mistakenly approved broad whitelist or blacklist rule could affect future search captures.
Persistent URL rules and staged content can influence future search-result classification and archiving.
Load URL rules from the configured rules store. ... Write confirmed rule updates, archive selected content, and append audit records.
Prefer narrow rules, review new persistent rules carefully, and expire or revoke rules that are no longer trusted.
It is harder to verify the publisher's source history or maintenance practices.
The package does not provide a public repository or homepage for independent provenance review, though it also contains no executable code or install script.
Repository/Homepage: Not specified in this package.
Install only if you trust the publisher and review the included documentation before enabling cloud or destructive operations.