Skillv1.0.0

ClawScan security

Bocha Search (Momo优化版) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 4:17 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (calling api.bocha.cn for web search), asks only for a Bocha API key and stores it locally; nothing in the files indicates covert exfiltration or unrelated credential access.
Guidance: This skill appears to do exactly what it says: call Bocha's web-search API and format results. Before installing: 1) Confirm you trust the Bocha service and its API key handling (the key is stored in plaintext at ~/.openclaw/skills-config/bocha-search.json unless you use an env var). 2) Ensure curl and jq are available. 3) Note the minor doc mismatch: there is no env.sh or bocha-search wrapper in the package — use the provided scripts/search.sh path or adjust installation accordingly. 4) Don’t commit the saved JSON with your API key to any repository. If you need higher assurance, inspect the skill files locally and verify network calls go to api.bocha.cn as shown.

Review Dimensions

Purpose & Capability: okName/description match the code and docs: the scripts call https://api.bocha.cn/v1/web-search, format results, and the _meta.json declares curl and jq which the scripts require. No unrelated cloud credentials or services are requested.
Instruction Scope: noteSKILL.md and scripts stay within search functionality (configure API key, call API, format output). Minor documentation inconsistency: setup.sh prints a suggestion to 'source ~/.openclaw/skills/bocha-search/scripts/env.sh' and to run 'bocha-search', but there is no env.sh or bocha-search wrapper included in the package — the actual runnable is scripts/search.sh. Also SKILL.md mentions using the BOCHA_API_KEY environment variable (optional) though the registry metadata does not declare required env vars; this is harmless but worth noting.
Install Mechanism: okNo install spec (instruction-only) and bundled scripts are simple shell files. No downloads from external or untrusted URLs, no archive extraction, and required tools are standard (curl, jq) as declared.
Credentials: okThe only sensitive data needed is the Bocha API key, which the skill stores locally at ~/.openclaw/skills-config/bocha-search.json or accepts via BOCHA_API_KEY. This is proportionate to a search integration. The skill does not request unrelated secrets or system-level credentials.
Persistence & Privilege: okSkill is not always-enabled and does not modify other skills or system-wide settings. It persistently stores the API key in a user-local config file (expected for convenience) and otherwise requires no elevated privileges.