Web Search Plus
PassAudited by ClawScan on May 6, 2026.
Overview
The visible artifacts describe a coherent web search and URL extraction skill, with expected use of provider API keys, external web APIs, and a local cache.
This skill appears coherent for web search and URL extraction. Before installing, decide which provider keys you want it to use, remember that auto-routing can send queries or URLs to different external providers, and use `--no-cache` or clear the cache for sensitive searches.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your searches or extracted URLs may be sent through the configured provider account and may consume API quota or be subject to that provider’s logging and billing terms.
The skill can use multiple third-party provider credentials to perform search and extraction. This is expected for the stated purpose and is disclosed, but it grants the skill access to provider quotas/accounts.
"SERPER_API_KEY":"optional","BRAVE_API_KEY":"optional","TAVILY_API_KEY":"optional" ... "KILOCODE_API_KEY":"optional — alternative Perplexity provider via Kilo Gateway"
Use dedicated, least-privileged API keys where possible, monitor provider usage, and avoid putting secrets in shared project folders.
A query or URL may be routed to a different configured provider than the one you expected, affecting privacy, cost, and result behavior.
The skill may automatically choose among several external providers for search or URL extraction. This is central to the skill’s purpose and clearly disclosed, but users may not always know which provider receives a given query unless they inspect routing.
"Smart routing — query analysis picks the best provider automatically" and "scripts/extract.py auto-falls back across" Firecrawl, Linkup, Tavily, Exa, and You.com
Use explicit provider flags for sensitive searches or run with routing explanation/debug options when you need to know where data is being sent.
Search queries and results may remain on disk in the skill’s cache directory until they expire or are cleared.
The script persists search queries and results in local JSON cache files. This supports the documented caching feature but can retain sensitive search terms locally.
cached_result["_cache_query"] = query ... with open(cache_path, "w", encoding="utf-8") as f: json.dump(cached_result, f, ensure_ascii=False, indent=2)
Use `--no-cache` for sensitive searches, review the cache directory permissions, and clear the cache when needed.
Running the setup script executes local package code and may collect provider configuration or API keys as part of setup.
The quick start asks the user to run a local Python setup wizard. This is a normal, user-directed setup step for this script-based skill, not evidence of hidden execution.
python3 scripts/setup.py
Run setup only from the installed skill directory you trust, and review generated `.env` or `config.json` files before use.