coze-web-search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or low-quality search result could include text that tries to steer the agent away from the user's goal.
The skill outputs web snippets and, when requested, page content. That is expected for a search skill, but retrieved web content is untrusted and may contain prompt-injection-style instructions.
md += `\n${item.snippet}\n\n`; ... md += `<details>\n<summary>Full Content</summary>\n\n${item.content.slice(0, 2000)}`;Treat search results as reference material only; do not follow instructions found inside returned web pages, and use site restrictions for trusted sources when possible.
Search terms may reveal sensitive interests or information if users include private data in queries.
The user's query is sent through the Coze SDK/search service. This is disclosed and necessary for the stated web-search purpose, but it is still an external provider data flow.
response = await client.webSearch(options.query, options.count, options.needSummary);
Avoid searching for secrets, credentials, or highly sensitive private information unless you are comfortable sending that query to the provider.
The behavior depends partly on the external SDK version resolved in the user's environment.
The skill depends on an external SDK, and the registry states there is no install spec. This is purpose-aligned, but package provenance/version pinning is not shown in the artifacts.
import { SearchClient, Config, APIError } from "coze-coding-dev-sdk";Install in a normal isolated project environment when possible, and prefer pinned dependency versions if you adapt or package this skill.