NanoGPT Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward NanoGPT web-search wrapper; it uses your NanoGPT API key and sends search queries to NanoGPT, with no hidden or destructive behavior shown.
Before installing, make sure you are comfortable setting NANOGPT_API_KEY, sending search queries to NanoGPT and its providers, and paying any listed search costs. Install the requests dependency from a trusted Python environment and treat search results as untrusted information to verify.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency pulls code from the Python package ecosystem.
The setup asks the user to install an unpinned Python dependency. This is a common, purpose-aligned dependency for the Python API path, not hidden installation behavior.
pip install requests
Install dependencies in a trusted environment, and pin or vet package versions if you need stricter supply-chain control.
Anyone invoking the skill with this environment variable can use the configured NanoGPT account and potentially spend API credits.
The code reads the declared NanoGPT API key and sends it as the API authentication header.
self.api_key = api_key or os.environ.get("NANOGPT_API_KEY") ... "x-api-key": self.api_keyUse an API key with appropriate limits if available, avoid committing keys to code, and monitor NanoGPT usage.
Queries may leave your local environment and be processed by NanoGPT and the selected search provider.
Search queries and provider choices are sent to the external NanoGPT API endpoint as part of the skill's core function.
API_URL = "https://nano-gpt.com/api/web" ... payload = {"query": query, "provider": provider, "depth": depth, "outputType": output_type}Do not search for secrets or confidential material unless you are comfortable sending that data to NanoGPT and its providers.
Search result snippets or sourced answers could contain misleading content or prompt-injection-style instructions if an agent over-trusts them.
The skill displays text returned from web search results, which is external content and may be untrusted.
snippet = r.get("snippet", "") ... print(f" 📝 {snippet[:200]}{'...' if len(snippet) > 200 else ''}")Treat returned web content as evidence to verify, not as instructions for the agent to follow.