Web Search Plus
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-search-plus Version: 3.0.3 The web-search-plus skill bundle is a comprehensive and well-structured tool for multi-provider web search and content extraction. The code in scripts/search.py and scripts/extract.py implements legitimate search routing and URL scraping logic across ten different providers. Notably, the developers have included proactive security measures, such as SSRF protection in scripts/search.py and scripts/setup.py, which validates SearXNG instance URLs to block access to cloud metadata endpoints (169.254.169.254) and private/internal IP ranges. There is no evidence of data exfiltration, malicious command execution, or harmful prompt injection instructions in SKILL.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your searches or extracted URLs may be sent through the configured provider account and may consume API quota or be subject to that provider’s logging and billing terms.
The skill can use multiple third-party provider credentials to perform search and extraction. This is expected for the stated purpose and is disclosed, but it grants the skill access to provider quotas/accounts.
"SERPER_API_KEY":"optional","BRAVE_API_KEY":"optional","TAVILY_API_KEY":"optional" ... "KILOCODE_API_KEY":"optional — alternative Perplexity provider via Kilo Gateway"
Use dedicated, least-privileged API keys where possible, monitor provider usage, and avoid putting secrets in shared project folders.
A query or URL may be routed to a different configured provider than the one you expected, affecting privacy, cost, and result behavior.
The skill may automatically choose among several external providers for search or URL extraction. This is central to the skill’s purpose and clearly disclosed, but users may not always know which provider receives a given query unless they inspect routing.
"Smart routing — query analysis picks the best provider automatically" and "scripts/extract.py auto-falls back across" Firecrawl, Linkup, Tavily, Exa, and You.com
Use explicit provider flags for sensitive searches or run with routing explanation/debug options when you need to know where data is being sent.
Search queries and results may remain on disk in the skill’s cache directory until they expire or are cleared.
The script persists search queries and results in local JSON cache files. This supports the documented caching feature but can retain sensitive search terms locally.
cached_result["_cache_query"] = query ... with open(cache_path, "w", encoding="utf-8") as f: json.dump(cached_result, f, ensure_ascii=False, indent=2)
Use `--no-cache` for sensitive searches, review the cache directory permissions, and clear the cache when needed.
Running the setup script executes local package code and may collect provider configuration or API keys as part of setup.
The quick start asks the user to run a local Python setup wizard. This is a normal, user-directed setup step for this script-based skill, not evidence of hidden execution.
python3 scripts/setup.py
Run setup only from the installed skill directory you trust, and review generated `.env` or `config.json` files before use.