Search Strategy Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This search skill is purpose-aligned, but it sends queries or URLs to external search/crawling providers and can use optional API/OAuth-backed tools.
This skill appears safe to install for general web-search assistance. Before using it with sensitive topics, internal URLs, or social-platform searches, confirm which engine will be used, review any separately installed provider tools, and scope or revoke API/OAuth credentials as needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A search request may cause outbound searches or crawls through third-party tools, potentially reaching more pages than a simple single-page fetch.
The script can automatically select and invoke a crawler/search tool based on user input. That is central to the skill’s purpose, but it can initiate external crawling/search activity.
elif [ "$FULL_CRAWL" -eq 1 ]; then
ENGINE="firecrawl"
...
firecrawl search "$QUERY" --scrape 2>/dev/null | head -100Use --engine explicitly for sensitive tasks, avoid private/internal URLs, and reserve full-crawl behavior for targets you intend to crawl.
If those tools are installed and credentials are configured, searches may use provider quotas or delegated account access.
The README discloses optional API keys and platform OAuth for integrated providers. This is expected for those services, and the artifacts do not show hardcoded credentials or credential leakage.
| firecrawl-cli | `FIRECRAWL_API_KEY` | JS 網站完整爬蟲 ... | | tavily-search | `TAVILY_API_KEY` | AI 最佳化研究摘要 ... | | brave-search | `BRAVE_API_KEY` | 隱私搜尋 | | agent-reach | 各平台 OAuth | Twitter/YouTube/GitHub 等社群媒體 |
Use scoped API keys/OAuth grants where possible, review each provider tool separately, and revoke credentials you no longer need.
The actual behavior of firecrawl, tavily-search, or agent-reach depends on separately installed tools outside this skill’s reviewed code.
The implementation calls external CLIs that are not included in this artifact set and are not declared as required binaries in the registry metadata. This creates a dependency/provenance review gap, though the behavior is disclosed and purpose-aligned.
if ! command -v firecrawl &> /dev/null; then ... if ! command -v tavily-search &> /dev/null; then ... if ! command -v agent-reach &> /dev/null; then ...
Install referenced tools only from trusted sources and check their permissions, credentials, and update behavior before use.
Private search terms, unpublished URLs, or internal site names could be disclosed to third-party services if used as input.
Search terms and URLs are sent to external providers such as Jina, DuckDuckGo, Brave, Tavily, Firecrawl, or agent-reach depending on the selected engine. This is expected for a search skill but is still a data-sharing consideration.
curl -s --compressed "$jina_url" ... local ddg_url="https://html.duckduckgo.com/html/?q=$(echo "$QUERY" | sed 's/ /+/g')" ... tavily-search query="$QUERY" max_results="$MAX_RESULTS"
Do not use sensitive, confidential, or internal-only queries/URLs unless the selected provider is approved for that data.