Smart Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The search feature is legitimate, but the optional privacy setup and local environment handling are broader than advertised and should be reviewed before use.
Install only if you are comfortable with search queries going to Exa or Tavily. Do not run the SearX deployment script as-is on a shared or network-exposed machine; bind it to 127.0.0.1 and review the Docker image. Treat ~/.openclaw/.env as sensitive, and prefer a version of the script that parses only the required variables instead of sourcing the whole file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A service intended for private local searching could be reachable by other machines on the network and could be abused or expose search activity.
The optional 'private' SearX deployment disables rate limiting, binds to all interfaces, publishes the port without a localhost-only binding, and persists across restarts.
limiter: false bind_address: "0.0.0.0" ... docker run -d ... -p "$PORT":8080 ... --restart unless-stopped ... searx/searx:1.1.0-69-75b859d2
Change the Docker publish option to bind only to 127.0.0.1, keep rate limiting unless intentionally disabled, and make persistence an explicit user choice.
If the local .env file contains unexpected shell commands, they would run whenever the search script is invoked.
The script executes the entire .env file as shell code instead of parsing only SEARXNG_URL and TAVILY_API_KEY.
if [ -f ~/.openclaw/.env ]; then
source ~/.openclaw/.env 2>/dev/null || export $(cat ~/.openclaw/.env | grep -v '^#' | xargs)
fiParse only the specific expected variables using a safe dotenv parser or strict key filtering, and avoid source on configuration files.
Users may misunderstand how their Tavily credential is used and assume it never leaves their machine.
The comment says the API key is never transmitted, but the Tavily call necessarily sends it to Tavily as a bearer token.
# API Key 从本地 .env 读取,绝不传输 ... -H "Authorization: Bearer $TAVILY_API_KEY"
Clarify that the Tavily key is sent only to Tavily for authentication, which is normal provider behavior, and remove absolute 'never transmitted' wording.
A provider credential is involved if Tavily is enabled, so misuse or leakage of that key could affect the user's Tavily account.
The skill can use a user-provided Tavily API key for the intended Tavily search feature.
[ -z "$TAVILY_API_KEY" ] && return 1 ... -H "Authorization: Bearer $TAVILY_API_KEY"
Use a dedicated low-privilege Tavily key if possible, store it carefully, and revoke it if you stop using the skill.
Running older container images can carry maintenance and vulnerability risk, even when the image is used for the stated search purpose.
The optional deployment recommends an older Docker image by tag, not digest, and highlights lack of bot detection as a feature.
旧版本无 bot 检测,JSON API 完全可用! ... searx/searx:1.1.0-69-75b859d2
Prefer a maintained SearXNG image, pin by digest, and review the container configuration before running it.
Search terms may contain sensitive information and will be visible to the selected search provider unless a truly local SearX instance is used.
The skill discloses that search query text is sent to external provider endpoints.
"external_endpoints": [{"url": "https://mcp.exa.ai/mcp" ... "data_sent": "search_query_only"}, {"url": "https://api.tavily.com/search" ... "data_sent": "search_query_only"}]Avoid searching secrets or private personal data through external providers; configure and verify a localhost-only SearX instance for sensitive searches.