联网搜索统一接口
PassAudited by ClawScan on May 9, 2026.
Overview
This appears to be a legitimate unified web-search helper, but it uses provider API keys and sends search queries to external services.
Before installing, verify the repository or package you are using, configure dedicated API keys if possible, and avoid putting private data into search queries because they may be routed to Bailian, Tavily, or Ark depending on search intensity and provider selection.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may run under the user's provider accounts and consume API quota or billing.
The skill reads provider credentials from environment variables and a local config file, including an undeclared DASHSCOPE_API_KEY alias. This is expected for a search-provider integration but gives the skill access to API accounts and quotas.
CONFIG_FILE = CONFIG_DIR / "config.yaml" ... key = os.getenv("BAILIAN_API_KEY") or os.getenv("DASHSCOPE_API_KEY")Use dedicated or limited-scope API keys where possible, and be aware that existing environment variables may be picked up automatically.
Search terms, including any sensitive information typed into a query, can leave the local environment and be processed by external providers.
The implementation sends the user's search query and provider credential to an external search provider. Similar provider calls are present for Bailian and Ark, which matches the skill's stated purpose.
endpoint = "https://api.tavily.com/search" ... payload = { "api_key": api_key, "query": query, "max_results": 5, "search_depth": "basic", "include_answer": True }Do not include private secrets or sensitive personal/business data in search queries unless you are comfortable sharing them with the selected provider.
A user could be confused about which repository or package source is authoritative.
The package metadata uses a placeholder repository URL rather than the registry homepage, while README.md also suggests pip installation. This is a provenance consistency issue, not evidence of malicious behavior.
url="https://github.com/yourusername/unified-web-search"
Verify the package source and repository before installing or updating from PyPI or GitHub.