Google Search Unlimited V2
AdvisoryAudited by VirusTotal on Mar 31, 2026.
Overview
Type: OpenClaw Skill Name: google-search-unlimited-v2 Version: 2.0.1 The bundle is a well-structured search utility providing a multi-tiered search strategy (SQLite cache, OpenClaw tools, DuckDuckGo, and Google API) with integrated rate limiting. The Python code in search.py and search_engine_final.py follows security best practices, such as using parameterized SQL queries to prevent injection and standard libraries for network communication. No evidence of malicious intent, data exfiltration, or prompt injection was found across the code or documentation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your search queries may be routed to external search services depending on availability and configuration.
The skill is designed to call multiple external search mechanisms and automatically fall back between them. This is expected for the stated purpose, but users should know searches may be sent to different providers.
DuckDuckGo, Brave Search ... Google API ... Lightweight HTTP ... Automatic failover
Use the skill only for queries you are comfortable sending to third-party search providers, and configure the method explicitly if provider choice matters.
If configured, the skill can use your Google Custom Search API quota.
The skill optionally uses Google Custom Search credentials. This is normal for Google API integration, and the provided artifacts do not show credential logging, hardcoding, or unrelated use.
GOOGLE_API_KEY=your_key GOOGLE_CSE_ID=your_cx
Use a restricted API key where possible and monitor quota usage.
Sensitive searches could remain on disk in the skill's cache and be visible to anyone with access to the local files.
The cache stores query text and method information in a local SQLite database, and helper scripts can display cached queries. This is disclosed and useful for caching, but it persists potentially sensitive search terms.
SELECT query_text, method, created_at FROM search_cache ORDER BY created_at DESC LIMIT 5;
Avoid searching highly sensitive terms, periodically clear the cache, and set conservative TTL/size values if privacy matters.
Future installs may receive different package versions than the author tested.
The skill depends on common Python packages, but the metadata does not pin versions. This is typical for small Python tools but gives less reproducible dependency provenance.
"packages": ["requests", "beautifulsoup4", "lxml"]
Install in a virtual environment and consider pinning dependency versions before production use.
Users may over-trust the skill based on promotional or self-attested claims.
The package includes self-generated approval and safety claims. They may be benign documentation, but they should not be treated as independent proof of security.
Status: ✅ APPROVED FOR PRODUCTION ... Aucune vulnérabilité de sécurité détectée
Rely on the actual reviewed behavior and your own testing rather than the included approval/marketing statements.