Web Search by Desearch

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

Searches made through the skill may consume the user’s Desearch account quota or balance.

Why it was flagged

The skill requires a provider API key from the user’s environment; this is disclosed and aligned with using Desearch, but it authorizes account usage.

Skill content

key = os.environ.get("DESEARCH_API_KEY")

Recommendation

Use a Desearch key with appropriate account limits and rotate or revoke it if it is no longer needed.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Search queries are shared with the Desearch service and may be subject to that provider’s logging, retention, and billing policies.

Why it was flagged

The script sends the user’s search query to Desearch’s external API endpoint, which is expected for this web-search function.

Skill content

DESEARCH_BASE = "https://api.desearch.ai"

Recommendation

Avoid sending highly sensitive private information as search queries unless you are comfortable with Desearch’s handling of that data.