Google Web Search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-web-search Version: 1.0.3 The OpenClaw skill 'google-web-search' is classified as benign. Its core functionality involves using the official Google GenAI library to interact with the Gemini API for web search grounding, as stated in its purpose. API keys are securely loaded from environment variables, and dependencies are installed via standard `pip install -r requirements.txt` (or `uv sync`) commands from local files, which is a common and necessary practice for Python skills. There is no evidence of data exfiltration, backdoors, unauthorized remote execution, or prompt injection attempts against the OpenClaw agent itself. All actions are aligned with the skill's stated goal of providing grounded web search capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked or over-permissive API key could be misused or incur charges on the user's Google/Gemini account.
The skill uses a Gemini API key from the environment to authenticate API calls. This is expected for the stated Gemini search purpose, but it is still a credential with account and billing implications.
api_key = os.environ.get("GEMINI_API_KEY") ... client = genai.Client(api_key=api_key)Use a restricted Gemini API key, keep it out of prompts and logs, and rotate it if it is exposed.
Sensitive details included in a prompt may be sent to Google/Gemini and may influence generated web search queries.
The user's prompt is sent to the Gemini provider with Google Search grounding enabled. This is the core feature, but it means prompt contents leave the local environment.
response = client.models.generate_content(
model=model,
contents=prompt,
config=config,
)Use this skill for information lookup and citation needs, but avoid including secrets, private documents, or confidential business data unless that provider use is acceptable.
Future dependency changes could affect behavior or security of the helper script.
The dependency versions are lower-bounded rather than pinned, so installation can pull newer compatible package releases. This is common and purpose-aligned, but it leaves the install dependent on package-manager trust and future package versions.
google-genai>=1.50.0 pydantic-settings>=2.0.0
Install in a trusted Python environment and consider pinning or locking dependency versions if reproducibility is important.