MySearch
PassAudited by ClawScan on May 1, 2026.
Overview
MySearch is a disclosed web-search connector that uses configured provider/proxy keys and may be invoked automatically for lookups, with no artifact-backed hidden or destructive behavior found.
Before installing, make sure you trust the configured proxy or provider endpoints, use dedicated API keys if possible, and understand that the agent may use MySearch automatically for external lookups when it is healthy.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
External lookup queries may be sent through MySearch whenever the agent decides current web or social search is needed.
The skill can be selected by the agent as the default search path without a separate explicit user command for every lookup.
default_prompt: "Use $mysearch as the default OpenClaw search skill... Prefer MySearch over raw web_search..." policy: allow_implicit_invocation: true
Install only if you are comfortable with this skill being the default external search route; disable implicit invocation or use another search path if you want per-call control.
API keys or proxy tokens configured for the skill can be used to make searches against those services.
The skill requires delegated provider or proxy credentials to perform its search function and discloses that those credentials are sent to configured endpoints.
MySearch sends queries and whichever provider or proxy credentials you configure to the configured endpoints for Tavily, Firecrawl, Exa, and optional xAI/social search.
Use least-privilege or dedicated search keys where possible, configure them through OpenClaw skill env, and rotate them if you change proxy/provider trust.
Secrets stored in the local MySearch/Codex configuration may be picked up automatically by the skill.
The runtime may load MySearch-specific environment values, potentially including API keys, from a local Codex configuration file.
config_path = Path(os.getenv("CODEX_HOME", "~/.codex")).expanduser() / "config.toml"
...
env = ((data.get("mcp_servers") or {}).get("mysearch") or {}).get("env") or {}Keep only intended MySearch credentials in the relevant config section and avoid storing unrelated secrets there.
A proxy host you configure could see what you search for and may receive credentials used through it.
The artifacts disclose a proxy/provider trust boundary: a configured proxy can observe search queries and routed credentials.
If you point MYSEARCH_PROXY_BASE_URL at an untrusted host, that host can see queries and any credentials routed through it.
Use your own proxy or a provider you trust, and do not route production credentials through an unknown proxy.