Bocha Web Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some prompts may be sent for web search whenever the agent decides current information or verification is needed.
The skill authorizes broad autonomous use of the search API when the agent is unsure. This fits a default web search tool, but users should know it may perform lookups even without an explicit search request.
If uncertain whether online lookup is required, perform a search.
Use this skill if you are comfortable with agent-initiated searches; avoid including secrets or private details in requests that may be searched.
The skill can use the configured Bocha account/API quota when making searches.
The skill requires a Bocha API key to authenticate requests. This is expected for the stated API integration and there is no evidence of unrelated credential use.
requires:
env:
- BOCHA_API_KEYUse a dedicated Bocha API key with appropriate spending, quota, and revocation controls.
Search terms, and any sensitive information included in them, may be transmitted to Bocha.
The artifact clearly shows that user search queries are sent to Bocha's external API. This is purpose-aligned, but it is still an external data flow.
POST https://api.bocha.cn/v1/web-search Request body ... "query": "<USER_QUERY>"
Do not include secrets, private documents, or sensitive personal data in searches unless you are comfortable sharing them with the provider.