Web Search by Desearch
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: desearch-web-search Version: 1.0.1 The skill bundle provides a client for the Desearch web search API. The `SKILL.md` file contains standard documentation and usage instructions without any prompt injection attempts. The `scripts/desearch.py` script correctly retrieves the `DESEARCH_API_KEY` from environment variables, makes HTTP GET requests to a hardcoded `https://api.desearch.ai` endpoint, and properly sanitizes user input (`query`, `start`) using `urllib.parse.urlencode` before constructing the URL. There is no evidence of arbitrary code execution, unauthorized file system access, data exfiltration, or other malicious behaviors. All actions are aligned with the stated purpose of performing web searches.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches made through the skill may consume the user’s Desearch account quota or balance.
The skill requires a provider API key from the user’s environment; this is disclosed and aligned with using Desearch, but it authorizes account usage.
key = os.environ.get("DESEARCH_API_KEY")Use a Desearch key with appropriate account limits and rotate or revoke it if it is no longer needed.
Search queries are shared with the Desearch service and may be subject to that provider’s logging, retention, and billing policies.
The script sends the user’s search query to Desearch’s external API endpoint, which is expected for this web-search function.
DESEARCH_BASE = "https://api.desearch.ai"
Avoid sending highly sensitive private information as search queries unless you are comfortable with Desearch’s handling of that data.