Web Learner
PassAudited by ClawScan on May 1, 2026.
Overview
Web Learner is a coherent instruction-only web search and browsing skill; its risks are the expected ones from fetching untrusted web pages and possibly using a search API key.
This skill is reasonable to install if you want the agent to search, fetch, and browse the web. Be aware that search terms and visited pages may go to external services, and do not let the browser perform logins, form submissions, purchases, or account changes without explicit approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or low-quality page could influence the agent's summary or answer if not treated carefully.
The skill instructs the agent to retrieve web content and integrate it into answers. Web pages are untrusted context and could contain misleading or prompt-injection-style text, though the skill does not tell the agent to obey page instructions.
获取信息 → 执行查询 4. 整合加工 → 提取关键信息 5. 反馈用户
Treat fetched web pages as source material, not instructions; cross-check important claims and cite sources.
The agent may open dynamic websites and interact with page UI while gathering information.
The skill allows use of an interactive browser when search or fetch tools fail. This is expected for a web-learning skill, but browser UI interaction can become higher impact if used for forms, logins, purchases, or account changes.
当以上工具失败时,使用 `browser` 工具:... 支持截图和 UI 交互
Keep browser use read-only for research unless the user explicitly approves any login, form submission, download, purchase, or account-changing action.
A user may need to configure a search-provider API key for full functionality.
The skill notes that web search may require a Brave API key. This is expected for search integration, and the artifacts do not show token logging, hardcoded credentials, or unrelated credential use.
`web_search` - 需要 Brave API Key
Provide any API key only through trusted platform configuration and use a key scoped to the intended search service.