Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (network search supporting multiple engines) matches included files (web_search.py, requirements.txt, install/run scripts). The code implements DuckDuckGo and Wikipedia searches, caching, and a CLI — all coherent with the stated purpose. Minor mismatch: web_search.py contains an ALLOWED_DOMAINS list referencing some paid/search API hosts (serpapi, google.serper.dev, api.search.brave.com) that the current code does not call; this appears to be leftover/anticipatory rather than necessary for the declared functionality.
Instruction Scope
SKILL.md instructs creating a venv, installing pip deps, running web_search.py, and explains cache behavior. The runtime instructions and the code operate only on local files (cache at ~/.ai_search_cache.db) and public search APIs via standard libraries; there are no instructions to read unrelated system files or to transmit local data to unexpected endpoints. Note: SKILL.md lists optional environment variables for paid APIs (SERPER_API_KEY, BRAVE_API_KEY) but the current code does not read these variables.
Install Mechanism
No remote arbitrary downloads. install.sh is a simple installer that optionally creates a Python venv and runs pip install -r requirements.txt. Dependencies come from PyPI (duckduckgo-search, wikipedia, requests) — standard and expected for this task. No extract-from-URL or unknown-host downloads were used.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. SKILL.md mentions optional paid-API keys (SERPER_API_KEY, BRAVE_API_KEY) that are not referenced in the current code — this is a minor inconsistency (suggests potential future integrations but no current need for secrets). Cache path (~/.ai_search_cache.db) is local and expected.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. Its persistent footprint is limited to creating a virtualenv (if the user consents) and a local SQLite cache file in the user's home directory. It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be what it claims: a local search tool using DuckDuckGo/Wikipedia with a 24‑hour local cache. Before installing: (1) Review web_search.py yourself if you have concerns — it is the only substantial code file. (2) Install/run inside a Python virtualenv (install.sh prompts for one). (3) Be aware the cache is stored at ~/.ai_search_cache.db; delete it if you want to remove stored queries. (4) The SKILL.md mentions optional paid-API environment variables, but the current code does not use them — if maintainers add paid-API integrations later, those could require keys; re-check future versions before supplying secrets. (5) Dependencies are installed from PyPI; if you require extra assurance, inspect dependency versions and supply a pinned requirements file or install in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97c3vz9pevfrvxr1hj3x4ya1s82z9d2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.