Zhipu Z.ai web search
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—search via Zhipu—but users should notice that it needs an API key, sends search terms to Zhipu, and may ask about becoming the primary search tool.
Before installing, be comfortable providing a Zhipu/Z.AI API key and sending search queries to open.bigmodel.cn. Store the key carefully, avoid placing it in a shared skill folder, watch for API billing, and decline the optional primary-search-tool change unless you want this provider used by default.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Zhipu/Z.AI API key may allow paid API usage under your account.
The script reads a Z.AI API key from local configuration or an environment variable and uses it as a bearer credential for API calls. This is expected for the search service, but it is a real credential even though the registry metadata lists no primary credential.
if (process.env.ZAI_API_KEY) { config.apiKey = process.env.ZAI_API_KEY; } ... 'Authorization': `Bearer ${apiKey}`Use a dedicated or limited API key if available, avoid sharing the skill folder after adding a key, and revoke the key if it is exposed.
Search terms, including any sensitive information typed into a query, may be visible to the external search provider.
User search queries are sent to the external Zhipu API endpoint. This is central to the skill's purpose, but it means query text leaves the local environment.
search_query: query.slice(0, 70) ... hostname: 'open.bigmodel.cn', path: '/api/paas/v4/web_search'
Do not search for secrets or highly sensitive private data, and review Zhipu/Z.AI's privacy and retention terms before use.
If accepted, the agent may prefer this paid/provider-backed search tool over existing search tools for future searches.
The first-time instructions include inspecting other installed search skills and asking whether this skill should be the primary search tool. The artifacts frame this as optional and user-confirmed, but it can affect future tool selection.
Ask About Replacing Other Search Tools ... Use Glob to search for other search-related skills
Only make it the primary search tool if you want Zhipu/Z.AI used by default; otherwise choose the option to keep current search setup and invoke this skill only when needed.