google-search-web
PassAudited by ClawScan on May 9, 2026.
Overview
This skill is a transparent web-search wrapper that sends search terms, and optionally an API key, to a disclosed third-party search API; no hidden or destructive behavior is evident.
This appears safe for its stated purpose, but remember that your search query and optional API key go to a third-party devtool.uk endpoint. Avoid searching for secrets or private data, use an environment variable for the API key if needed, and install the requests dependency from a trusted source.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms are transmitted to the devtool.uk API rather than being kept local.
The script sends each search query to a disclosed external API endpoint. This is the intended function, but it means the provider receives the query text.
API_URL = "https://coze-js-api.devtool.uk/google/search/web" ... requests.post(API_URL, json=payload, timeout=150
Use this only for queries you are comfortable sending to that provider, and avoid placing secrets or private data in search terms.
If you provide an API key, it is sent to the third-party search API; passing it on the command line may also expose it in local shell history or process listings.
The script can read an optional paid API key from an environment variable or command-line argument and send it to the search API. This is purpose-aligned, but the key is sensitive.
return arg_key or os.environ.get("AZT_API_KEY", "").strip() or None ... payload["api_key"] = azt_api_keyPrefer setting AZT_API_KEY in a trusted environment over passing the key directly on the command line, and only use a key intended for this provider.
A user may need to manually install a Python package into their environment before the skill works.
The script depends on the external Python package requests, but the provided artifacts include no install spec, requirements file, or pinned dependency version.
except ImportError:
print("缺少依赖库,请先安装:pip install requests", file=sys.stderr)Install dependencies from a trusted package source, preferably in a virtual environment; the publisher should declare and pin dependencies in an install spec.