ClawHub

google-search

v1.0.0

Search the web using Google Custom Search Engine (PSE). Use this when you need live information, documentation, or to research topics and the built-in web_search is unavailable.

17· 13.8k·169 current·179 all-time
by@mxfeinberg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is described as a Google Custom Search wrapper and the provided script requires GOOGLE_API_KEY and GOOGLE_CSE_ID; however the registry metadata lists no required environment variables or primary credential. The declared capabilities (metadata) do not match what the skill actually needs.
Instruction Scope
SKILL.md and scripts/search.py are narrowly scoped: they instruct creating a Google project, obtaining an API key and CX ID, and calling the Google Custom Search API. The instructions and code only read those environment variables and perform an HTTPS request to googleapis.com; they do not access unrelated files or network endpoints.
Install Mechanism
This is an instruction-only skill with a simple Python script and no install specification. No downloads from arbitrary URLs or archive extraction are present. The script depends on the 'requests' package but does not attempt to install it itself.
!
Credentials
The skill legitimately needs GOOGLE_API_KEY and GOOGLE_CSE_ID to function, which is proportionate to its purpose — but those environment variables are not declared in the skill's registry metadata. That omission can cause unexpected behavior or make it unclear to users what secrets the skill will require.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined here with elevated persistence or broad privileges.
What to consider before installing
The skill's code is straightforward and only calls Google's Custom Search API, but the package metadata failing to list the required GOOGLE_API_KEY and GOOGLE_CSE_ID is an inconsistency you should resolve before installing. Ask the publisher to update the registry metadata to declare those environment variables (and a primary credential) so the platform can surface the secret requirement correctly. If you proceed: provide a Google API key with the minimal allowed scope, keep the key in a secure store (not checked into source), rotate it periodically, and review agent logs/policies to ensure environment variables won't be leaked to third parties. Also confirm that your runtime has the Python 'requests' package or sandbox the skill so arbitrary network egress is controlled.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0c7tsjnvwatnefzqvg0rph80b1rk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments