Keyapi Google Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to provide KeyAPI-backed Google search, but its bundled runner is broader than the Google-only description and can use your KeyAPI token with non-Google KeyAPI tools.
Review before installing. If you use it, ensure commands explicitly use --platform google and only the intended web_search or image_search tools, protect your KEYAPI_TOKEN/.env file, and disable or clear caching for sensitive searches.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user invoking the helper incorrectly could send requests and use the KeyAPI token for non-Google tools the user did not expect.
This Google-search skill bundles a generic runner that can target other KeyAPI platforms/tools and defaults outside Google, which is broader than the stated purpose.
Calls any KeyAPI MCP tool ... --platform <name> Platform to target (default: tiktok)
Scope the runner to the Google platform and the intended web_search/image_search tools, or clearly warn users and require explicit confirmation for non-Google platform/tool use.
The token may remain on disk in plaintext in the skill directory, where it could be exposed by backups, sharing, or accidental commits.
The helper can store the user's KeyAPI credential in a local .env file for future runs.
writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");Protect the .env file, avoid committing it, and consider setting KEYAPI_TOKEN through a secure environment or secrets manager instead.
Search terms, returned URLs, snippets, and image results may remain in local cache files after use.
The skill intentionally caches search API responses locally, which can retain queries and results across runs.
Execute tool calls and persist responses to the local cache to avoid redundant API calls.
Use --no-cache for sensitive searches and periodically remove the .keyapi-cache directory if local retention is not desired.
Future dependency updates could change behavior compared with what was reviewed here.
The skill depends on an npm package using a caret version range, so installs may resolve to newer compatible versions.
"@modelcontextprotocol/sdk": "^1.10.2"
Install from a trusted environment and prefer a lockfile or pinned dependency version for reproducible installs.