Deep Researcher
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: deep-researcher Version: 1.0.0 The skill bundle 'deep-researcher' is classified as benign. It orchestrates several other OpenClaw research skills (tavily-search, perplexity-deep-search, literature-search) to perform iterative, hypothesis-driven research. The `SKILL.md` file contains instructions for the AI agent to execute local scripts and binaries (`node`, `bash`, `npx`, `curl`, `jq`) for legitimate research tasks, such as web search, academic literature retrieval, and contradiction resolution. It explicitly requires API keys for external services but only checks for their presence, not exfiltration. The instructions include guardrails against unethical behavior (e.g., 'Never fabricate citations'). While the orchestration of external scripts could theoretically expose the system to shell injection vulnerabilities if the *upstream* scripts or the agent's argument handling are flawed, this skill itself does not introduce or exploit such vulnerabilities, nor does it demonstrate any malicious intent like data exfiltration, persistence, or unauthorized control. The prompt injection aspect noted in `SKILL.md` is actually an instruction for the agent to *ignore* a quirk from an upstream skill, not to perform a malicious injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup as written could update or alter other installed skills, potentially changing agent behavior outside this research skill.
The skill transparently depends on upstream skills, but the setup uses latest/unpinned installs and a broad `update --all` command that can change the user's wider skill environment, not just this skill's dependencies.
npx -y clawhub@latest install deepresearchwork npx -y clawhub@latest install tavily-search npx -y clawhub@latest install literature-search npx -y clawhub@latest install perplexity-deep-search npx -y clawhub@latest update --all
Install only the named dependencies, review upstream skills before use, and avoid `update --all` unless you intentionally want to update every installed skill.
The agent will be able to use the user's Tavily and Perplexity accounts within the limits of those API keys.
The skill requires external provider API keys and checks that they are present. This is expected for the stated integrations, and the visible preflight only counts characters rather than printing the keys.
Required Credentials - `TAVILY_API_KEY` - `PERPLEXITY_API_KEY` Preflight: echo "$TAVILY_API_KEY" | wc -c echo "$PERPLEXITY_API_KEY" | wc -c
Use least-privilege or dedicated API keys where possible, monitor provider usage, and revoke keys if you no longer use the skill.
Sensitive or confidential research questions could be transmitted to third-party services during normal use.
The skill is designed to send research queries and validation prompts through external search/research providers. This is purpose-aligned, but it means user research topics may leave the local environment.
tavily-search Use for web evidence retrieval... perplexity-deep-search Use as contradiction arbiter and targeted fact checker
Do not include confidential, regulated, or proprietary information in research prompts unless those provider terms and account settings are acceptable.