Skywork Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Skywork web-search skill, but it uses a Skywork API key and sends search queries to Skywork, so users should avoid putting secrets in searches and protect the key.
This skill is reasonable to install if you intend to use Skywork Search. Protect the SKYWORK_API_KEY, avoid printing or sharing it, do not include confidential data in search queries unless acceptable for Skywork to process, and remove temporary result files after sensitive searches.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill allows the agent to run this local Python helper for searches.
The skill is used by running a bundled Python script. The included source matches the search purpose, so this is expected local execution rather than suspicious behavior.
python3 <skill-path>/scripts/web_search.py "query1" ["query2"] ["query3"]
Use the reviewed bundled script only, and avoid replacing it with unreviewed code or paths.
Anyone who can see the config file or terminal output may be able to copy and use the Skywork API key, potentially consuming quota or accessing the account's API entitlement.
The setup guide instructs users to store a real Skywork API key and includes a verification command that prints the key value. This is expected for authenticated API access, but the secret should be protected.
"apiKey": "your_actual_skywork_api_key_here" ... echo "$SKYWORK_API_KEY"
Store the key only in trusted local configuration, avoid printing the full key in shared/logged terminals, and rotate it if it is exposed.
Search terms, including any sensitive details the user includes, are transmitted to Skywork for processing.
The script sends the user's search query to the Skywork web_search endpoint. This is the core function of the skill, but it means query text leaves the local environment.
url = f"{SKYWORK_GATEWAY_URL}/web_search"
payload = {"query": query, "source_platform": "skyclaw" if POD_TYPE == "skyclaw" else ""}
...
urllib.request.urlopen(req, timeout=30)Avoid including secrets, private identifiers, or confidential business data in search queries unless sharing them with the provider is acceptable.
Search queries and results may remain on disk temporarily, and web snippets should not be treated as trusted instructions.
The skill stores retrieved web content and then has the agent read it back for synthesis. This is expected for search, but the files may contain sensitive queries or untrusted web snippets.
Results are saved to individual text files in a temporary directory ... After running the script, read the output files.
Delete temporary result files after sensitive searches and treat returned web content as source material, not as instructions to the agent.