ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bocha Web Search

统一封装博查(Bocha)全系搜索接口(Web Search / AI Search / Agent Search / Reranker),使用 Node.js 脚本调用并支持标准参数与原始 JSON 透传。用户提到“博查搜索/联网搜索/AI 搜索/Agent 搜索/重排/rerank/事实核查/行业研报检索”时使用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 300 · 2 current installs · 2 all-time installs
byLucas@YIKAILucas
fork of @Iuriak/bocha-web-search (based on 1.0.1)
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and implementation align: the scripts call Bocha search endpoints (web/ai/agent/reranker) and expose parameters the SKILL.md documents. The code only targets api.bochaai.com endpoints, which matches the declared purpose.
Instruction Scope
SKILL.md tells the agent to run the included Node/Bash scripts and to provide an API key via BOCHA_API_KEY or a local config.json. The scripts only read that config or env var, build a JSON payload, and POST to the Bocha API. One scope note: the --raw-json option allows callers to pass arbitrary JSON that will be merged and sent to the external API — this is expected for advanced use but means the caller must avoid embedding secrets or unrelated data in queries.
Install Mechanism
There is no install spec; this is a script bundle intended to be run directly. No network downloads or package installs occur during setup, and the code itself is not obfuscated. Requires a Node runtime present on the host.
!
Credentials
The skill requires a Bocha API key at runtime (BOCHA_API_KEY or skills/bocha-web-search/config.json), but the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: the skill will fail without providing a sensitive secret, and the metadata does not surface that requirement. Apart from that single API key, no other credentials or unrelated env vars are accessed.
Persistence & Privilege
The skill does not request permanent/always-enabled presence, does not modify other skills' settings, and does not write to system-wide config. The only file it suggests creating is a local skills/bocha-web-search/config.json to store the API key (local persistent file).
What to consider before installing
This skill is a straightforward client for the Bocha search APIs and will send your queries (and any JSON you pass with --raw-json) to https://api.bochaai.com. Before installing: 1) Be aware you must provide BOCHA_API_KEY (either as BOCHA_API_KEY env var or a local skills/bocha-web-search/config.json) — the registry metadata failing to declare this is an inconsistency you should note. 2) Do not include secrets or unrelated private data in queries or in --raw-json, since those values are transmitted to an external service. 3) Verify you trust the Bocha service and restrict the API key’s permissions/rotation as appropriate; store config.json with tight filesystem permissions. 4) Ensure Node is available in the environment. If you need stronger assurances, ask the publisher for a homepage/contact, or run the scripts in a sandbox and monitor outbound requests to confirm they go only to api.bochaai.com.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97bxbt3qcmp660cfnk4c8hb0x827wts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

bocha-web-search

统一封装 Bocha API(Web / AI / Agent / Reranker),适合中文互联网检索、问答增强与结果重排。

前置配置

二选一:

  1. 环境变量(推荐)
export BOCHA_API_KEY="你的博查API Key"
  1. 本地配置文件(仅本机)

在技能目录创建 config.json

{
  "apiKey": "你的博查API Key"
}

统一调用入口

优先使用:scripts/bocha.sh

cd skills/bocha-web-search

# Web Search
bash scripts/bocha.sh web --query "中国最火 app 研报" --count 10 --freshness oneYear --summary true --pretty

# AI Search
bash scripts/bocha.sh ai --query "总结中国移动互联网最新趋势" --count 8 --summary true --timeout 45

# Agent Search
bash scripts/bocha.sh agent --query "给我可追溯来源的回答" --count 8 --freshness oneMonth

# Reranker(通常配合 --raw-json 传 documents)
bash scripts/bocha.sh rerank --query "中国最火app" --raw-json '{"documents":["...","..."]}'

子命令

  • web:Web Search API
  • ai:AI Search API
  • agent:Agent Search API
  • rerank:Semantic Reranker API

参数

  • --query:查询词(除纯重排场景外通常必填)
  • --count:返回条数(默认 10,脚本内限幅 1~50)
  • --freshness:时间过滤(默认 noLimit
  • --summary:是否返回摘要(默认 true
  • --page / --offset:分页参数(若接口支持)
  • --language / --region / --site:语言、地区、站点过滤(若接口支持)
  • --raw-json:原始 JSON 透传(用于覆盖/补充高级参数)
  • --timeout:请求超时秒数(默认 30)
  • --pretty:Node 端 JSON 美化输出(无需 jq

输出规则

  • 默认输出 API 原始 JSON。
  • 若提供 --raw-json,会与标准参数合并后发送,且 --raw-json 字段优先。

使用建议

  1. 先宽搜拿候选(例:2025 中国移动互联网 报告)。
  2. 再加限定词二次检索(例:QuestMobileCNNICCTR)。
  3. 回答时优先引用机构来源,避免只用自媒体榜单。

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…