Bocha Web Search
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: bocha-web-search Version: 1.0.1 The skill is a web search tool that makes an HTTP POST request to `https://api.bocha.cn/v1/web-search` using an API key from the `BOCHA_API_KEY` environment variable. The `SKILL.md` explicitly states an intent to avoid shell-specific instructions and system-level file operations, and the instructions provided to the AI agent are consistent with this, focusing solely on making the API call, processing the JSON response, and formatting the output with citations. There is no evidence of prompt injection, data exfiltration beyond the API key for its intended use, malicious execution, persistence, or obfuscation. The external network call is fundamental to its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some prompts may be sent for web search whenever the agent decides current information or verification is needed.
The skill authorizes broad autonomous use of the search API when the agent is unsure. This fits a default web search tool, but users should know it may perform lookups even without an explicit search request.
If uncertain whether online lookup is required, perform a search.
Use this skill if you are comfortable with agent-initiated searches; avoid including secrets or private details in requests that may be searched.
The skill can use the configured Bocha account/API quota when making searches.
The skill requires a Bocha API key to authenticate requests. This is expected for the stated API integration and there is no evidence of unrelated credential use.
requires:
env:
- BOCHA_API_KEYUse a dedicated Bocha API key with appropriate spending, quota, and revocation controls.
Search terms, and any sensitive information included in them, may be transmitted to Bocha.
The artifact clearly shows that user search queries are sent to Bocha's external API. This is purpose-aligned, but it is still an external data flow.
POST https://api.bocha.cn/v1/web-search Request body ... "query": "<USER_QUERY>"
Do not include secrets, private documents, or sensitive personal data in searches unless you are comfortable sharing them with the provider.