Bocha Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward web-search skill that uses a Bocha API key and sends search queries to Bocha, with no hidden code, install step, persistence, or destructive behavior evident.
This skill appears safe for its stated purpose. Before installing, confirm you trust Bocha with your search queries, use a dedicated BOCHA_API_KEY with reasonable limits, and avoid searching for secrets or highly sensitive private information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some prompts may be sent for web search whenever the agent decides current information or verification is needed.
The skill authorizes broad autonomous use of the search API when the agent is unsure. This fits a default web search tool, but users should know it may perform lookups even without an explicit search request.
If uncertain whether online lookup is required, perform a search.
Use this skill if you are comfortable with agent-initiated searches; avoid including secrets or private details in requests that may be searched.
The skill can use the configured Bocha account/API quota when making searches.
The skill requires a Bocha API key to authenticate requests. This is expected for the stated API integration and there is no evidence of unrelated credential use.
requires:
env:
- BOCHA_API_KEYUse a dedicated Bocha API key with appropriate spending, quota, and revocation controls.
Search terms, and any sensitive information included in them, may be transmitted to Bocha.
The artifact clearly shows that user search queries are sent to Bocha's external API. This is purpose-aligned, but it is still an external data flow.
POST https://api.bocha.cn/v1/web-search Request body ... "query": "<USER_QUERY>"
Do not include secrets, private documents, or sensitive personal data in searches unless you are comfortable sharing them with the provider.