Hybrid Deep Search
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is generally coherent for a search assistant, but users should notice the optional OpenAI API key, unpinned Python dependencies, broad command/network tooling in the Chinese skill file, and placeholder-like search implementation.
This skill does not show malicious behavior in the provided artifacts. Before installing, treat it as a user-directed search helper that may require installing Python packages and may use an OpenAI API key for paid deep-search mode. Verify whether the actual web/API search calls are implemented, because the included script appears to return placeholder success messages rather than real results.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Deep-search use may consume the user's OpenAI account quota or incur charges.
The skill asks the user to provide an OpenAI API key for optional deep search. This is expected for the stated OpenAI integration and no artifact shows leakage or unrelated use, but it gives the skill access to a paid external account.
export OPENAI_API_KEY="sk-your-openai-api-key"
Use a least-privileged API key if possible, monitor OpenAI usage, and avoid entering sensitive queries unless you are comfortable sending them to the provider.
Installing unpinned packages can pull newer or unexpected dependency versions.
The setup instructions install third-party Python packages without version pins. This is purpose-aligned for an API/search tool, but it leaves dependency versions and provenance to the user's environment.
pip install openai python-dotenv requests
Install in a virtual environment and pin or review package versions if using this in a sensitive environment.
If invoked broadly, the agent could run search-related commands or network requests beyond a single simple lookup.
The Chinese skill file declares Bash-mediated access to web_search, curl, and python3. These tools fit the search/API purpose, but curl and python3 are flexible capabilities that can make network requests or run local scripts.
allowed-tools: Bash(*:web_search), Bash(*:curl), Bash(*:python3)
Keep invocations query-specific, review commands before execution where possible, and avoid using the skill with sensitive local files or secrets in the prompt.
Users could mistake placeholder output for real search results if they do not notice that the implementation is simulated.
The script reports a successful Brave search while the surrounding comments say the actual API call is only simulated and would be replaced in real use.
result = { "mode": "quick", "engine": "Brave API", ... "status": "success", "message": "Brave API 搜索完成 (快速、免费)" }Verify that real Brave/OpenClaw web_search and OpenAI calls are implemented before relying on the output for research or decision-making.