google-search-web
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: google-search-web Version: 1.0.0 The skill is a standard wrapper for a third-party Google Search API hosted at coze-js-api.devtool.uk. The Python script (scripts/google_search.py) uses the requests library to send search queries and handles API keys through environment variables or command-line arguments in a conventional manner. There is no evidence of data exfiltration, malicious code execution, or harmful prompt injection instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms are transmitted to the devtool.uk API rather than being kept local.
The script sends each search query to a disclosed external API endpoint. This is the intended function, but it means the provider receives the query text.
API_URL = "https://coze-js-api.devtool.uk/google/search/web" ... requests.post(API_URL, json=payload, timeout=150
Use this only for queries you are comfortable sending to that provider, and avoid placing secrets or private data in search terms.
If you provide an API key, it is sent to the third-party search API; passing it on the command line may also expose it in local shell history or process listings.
The script can read an optional paid API key from an environment variable or command-line argument and send it to the search API. This is purpose-aligned, but the key is sensitive.
return arg_key or os.environ.get("AZT_API_KEY", "").strip() or None ... payload["api_key"] = azt_api_keyPrefer setting AZT_API_KEY in a trusted environment over passing the key directly on the command line, and only use a key intended for this provider.
A user may need to manually install a Python package into their environment before the skill works.
The script depends on the external Python package requests, but the provided artifacts include no install spec, requirements file, or pinned dependency version.
except ImportError:
print("缺少依赖库,请先安装:pip install requests", file=sys.stderr)Install dependencies from a trusted package source, preferably in a virtual environment; the publisher should declare and pin dependencies in an install spec.