ClawHub

Bocha Web Search

v1.0.1

Default web search tool using Bocha Web Search API. Use for online lookup, verification, time-sensitive information, and citation-based answers.

4· 1.7k·27 current·29 all-time
byBocha-Labs@iuriak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the required pieces: the SKILL.md documents a web-search API endpoint at api.bocha.cn and declares BOCHA_API_KEY as the single required credential. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
Runtime instructions are narrowly scoped to calling POST https://api.bocha.cn/v1/web-search with the API key and formatting citation-backed results. The doc does not instruct reading local files, other env vars, or exfiltrating data. One note: the guidance 'If uncertain whether online lookup is required, perform a search' gives the agent discretion to initiate searches when it deems necessary — expected for a search tool but worth knowing if you want strict limits on when external calls happen.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk/write risk; nothing is downloaded or executed locally by the skill itself.
Credentials
Only BOCHA_API_KEY (primaryEnv) is required, which is proportionate to a web-search integration. No other tokens, secrets, or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable (defaults). The skill can be invoked autonomously by the agent (disable-model-invocation is false), which is normal for search skills; this increases the chance it will make outbound queries but is not itself a misconfiguration.
Assessment
This skill appears to be what it claims: a thin wrapper around the Bocha Web Search API. Before installing, consider: (1) You must provide BOCHA_API_KEY — treat it like any API secret (limit scope, rotate if needed). (2) Queries and returned content will be sent to/received from api.bocha.cn; do not send sensitive or private data to the skill. (3) Because the agent can invoke the skill autonomously, it may perform searches whenever it decides a lookup is needed; if you want stricter control, disable autonomous invocation or require explicit user invocation only. (4) Review Bocha's privacy, logging, and retention policy and your organizational policy for third‑party APIs. (5) Monitor usage (cost/rate limits) and restrict the key if needed. These precautions will mitigate the primary risks (exposure of queries and the API key).

Like a lobster shell, security has layers — review code before you run it.

latestvk974p0mzatspebj3w9rwn5sg3581t7vp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
EnvBOCHA_API_KEY
Primary envBOCHA_API_KEY

Comments