ClawHub

SerpAPI

v1.0.0

Unified search API across Google, Amazon, Yelp, OpenTable, Walmart, and more. Use when searching for products, local businesses, restaurants, shopping, images, news, or any web search. One API key, many engines.

5· 3.9k·28 current·28 all-time
by@ianpcook
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and scripts/serp.py all align: the code calls SerpAPI endpoints and supports the engines listed. Small metadata inconsistency: registry metadata lists no primary credential while the skill clearly requires SERPAPI_API_KEY (declared in SKILL.md and enforced by the script). This is likely an oversight but worth noting.
Instruction Scope
Runtime instructions stay within the search use case. The CLI wrapper intentionally reads a TOOLS.md file (home/clawd/TOOLS.md, cwd/TOOLS.md, or a CLAWDBOT_WORKSPACE path) to get a default location — that's documented in SKILL.md — but this means the skill will read workspace files and may access the user's home workspace file if present. No instructions ask the agent to read unrelated secrets or system configs.
Install Mechanism
No install spec; this is instruction-only plus a small CLI script included in the bundle. No external downloads, package installs, or archive extraction are performed by the skill itself.
Credentials
The only required environment variable is SERPAPI_API_KEY — appropriate and proportional for a SerpAPI client. The code also reads CLAWDBOT_WORKSPACE (to locate TOOLS.md) but that env var is not declared in metadata; it's optional but worth calling out.
Persistence & Privilege
Skill is not force-installed (always:false) and doesn't request special system-wide privileges or attempt to modify other skills or global configs. Default autonomous invocation (disable-model-invocation:false) is platform normal and not a red flag here.
Assessment
This skill appears to do what it says: a CLI wrapper that calls SerpAPI and needs SERPAPI_API_KEY. Before installing, consider: 1) Use a dedicated SerpAPI key with minimal permissions and monitor/rotate it if possible; avoid reusing high-privilege keys. 2) Review the included script (scripts/serp.py) yourself — it is short and readable and only contacts serpapi.com/search.json. 3) Be aware the tool will try to read a TOOLS.md (home/clawd/TOOLS.md, cwd/TOOLS.md, or path via CLAWDBOT_WORKSPACE) to get a default location — if you keep sensitive data there, remove it or set an explicit --location when invoking. 4) The metadata omits declaring SERPAPI_API_KEY as the primary credential in the registry; treat that as a documentation gap rather than malicious behavior. 5) If you plan to let the agent invoke the skill autonomously, ensure the API key is scoped and rate-limited to reduce blast radius. Overall the skill is coherent, but always audit keys and workspace files before enabling.

Like a lobster shell, security has layers — review code before you run it.

latestvk976jm4x7w0wmha8tnypd0hans7zwd2e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
EnvSERPAPI_API_KEY

Comments