Langsearch
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can make requests under your LangSearch account or quota when invoked.
The script uses a LangSearch API key from the environment and sends it as a bearer token to the LangSearch API, which is expected for this integration.
api_key = os.getenv("LANGSEARCH_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated LangSearch API key if possible, keep it out of source control, and rotate it if it is exposed.
Sensitive search queries, and any documents used with the reranking API, may be visible to the external provider.
User-provided search queries are sent to the external LangSearch API endpoint; this is purpose-aligned but means query contents leave the local environment.
payload = {"query": query, "count": min(count, 100), "summary": include_summary} ... requests.post(url, headers=headers, json=payload, timeout=30)Avoid sending secrets, private documents, or regulated data as search/reranking inputs unless LangSearch’s data-handling terms are acceptable.
Web results or summaries could contain inaccurate content or prompt-like text that should not be treated as trusted instructions.
The skill is intended to feed retrieved web content into LLM/RAG workflows, where untrusted web text can influence model context.
Includes integration examples for building RAG (Retrieval-Augmented Generation) pipelines and LLM applications that require real-world context.
Use retrieved results as evidence to verify, not as authority; keep source attribution and avoid letting web content override user or system instructions.
Users have less registry-level provenance information for confirming that the skill is associated with the LangSearch service.
The registry metadata lacks a populated source or homepage even though the skill describes an external service integration.
Source: unknown; Homepage: none
Verify the API endpoint and key signup URL independently before entering credentials.