DashScope Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward DashScope web-search integration, with the main user-visible risks being API-key use, external query sharing, and user-directed dependency setup.
Before installing, be comfortable providing a DashScope API key and sending search queries to DashScope. Use a dedicated key, avoid searching for secrets or confidential data, and consider pinning the Python dependency during setup. No artifact-backed malicious or deceptive behavior was found.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may send online search queries when it thinks current information is needed, even if you did not directly invoke the skill.
The skill explicitly tells the agent to invoke the web-search script proactively. That is coherent with a web-search skill, but users should understand it may run for broad real-time-information requests.
Activate proactively — you CAN search the web via this script.
Avoid including secrets or private information in prompts that may trigger web search, and consider asking for confirmation before searches involving sensitive topics.
Installing and using the skill requires giving the agent environment access to a DashScope API key, which may authorize API usage and costs.
The skill requires a DashScope API key even though the registry metadata lists no required env vars or primary credential. The credential use is disclosed and purpose-aligned, and the script does not show hardcoding or logging of the key.
export DASHSCOPE_API_KEY="sk-your-api-key-here"
Use a dedicated DashScope key where possible, keep it out of chat messages and logs, and update the skill metadata to declare `DASHSCOPE_API_KEY` as a required credential.
The installed dependency version may vary over time, which can affect behavior or security posture.
The setup instructions require installing the OpenAI Python package without a pinned version or lockfile. This is a normal dependency for the included client code, but it leaves package version/provenance to the installer.
pip install openai
Install in a virtual environment and prefer a pinned version or reviewed lockfile for reproducible setup.
Search query text leaves the local agent environment and is processed by DashScope.
The script sends the user's query to DashScope's API endpoint. This external provider call is disclosed and central to the skill's purpose, with no evidence of unrelated local data collection.
BASE_URL = "https://dashscope.aliyuncs.com/compatible-mode/v1" ... messages = [{"role": "user", "content": query}]Do not use the skill for secrets, private personal data, or confidential business content unless that sharing is acceptable under your DashScope/API data policy.