web-search-engine
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward web-search helper, but users should remember that search terms are sent to third-party search engines and returned snippets are untrusted web content.
This skill is reasonable for general web searches. Before installing, be comfortable with your search terms being sent to Bing, Baidu, 360 Search, or Sogou, and treat returned snippets as untrusted web content rather than instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms may be visible to the selected third-party search provider.
The script sends the user-provided search keyword to external search engines; this is expected for the skill but means queries leave the local environment.
const url = 'https://www.bing.com/search?q=' + k;
Do not use this skill for highly sensitive or private search terms unless you are comfortable sending them to the selected search engine.
A malicious or misleading search result could try to influence the agent if the agent over-trusts returned text.
The script returns scraped search-result text to the agent; web results are untrusted content and should not be treated as instructions.
console.log(JSON.stringify(result));
Treat returned search snippets as reference material only, not as commands or authoritative instructions.
The skill may fail or behave differently on systems without a compatible Node runtime.
The skill documentation uses a Node command, but the metadata does not declare Node as a required binary; this is an under-declared runtime requirement rather than evidence of malicious behavior.
Required binaries (all must exist): none
Ensure Node.js is available before using the skill, and review the included search.js file if runtime provenance matters to you.