Felo Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search queries are written to a temporary file and sent through a shell command to Felo.
The skill uses shell commands, curl, and a temporary file to perform the search. This is coherent with its purpose, but users should understand the local command and file flow.
When this skill is triggered, execute the following steps using the Bash tool ... curl -s -X POST https://openapi.felo.ai/v2/chat ... -d @/tmp/felo_query.json
Use it for intended web searches only, avoid placing secrets in search queries, and use safer temporary-file handling if adapting the instructions.
Your Felo API key may authorize API usage on your account, and displaying it can accidentally reveal it.
The skill requires a provider API key, and the README suggests printing it during verification. This credential need is purpose-aligned, but it is not declared in registry metadata and printing secrets can expose them in logs or transcripts.
Set the `FELO_API_KEY` environment variable ... echo $FELO_API_KEY ... You should see your API key.
Use a revocable Felo API key, avoid echoing the full key in shared or logged terminals, and revoke/rotate it if exposed.
Anything included in a search query may be transmitted to Felo's service.
The documented workflow sends the user's query to an external provider API. This is expected for a web-search skill, but it is still a data boundary users should notice.
Extract the user's query and call the Felo API ... https://openapi.felo.ai/v2/chat
Do not include private credentials, confidential files, or sensitive personal data in searches unless you are comfortable sending them to Felo.
It is harder to independently verify who maintains the skill or inspect its release history.
The registry metadata does not provide a source repository or homepage for provenance verification, although no runnable code files are included.
Source: unknown; Homepage: none
Install only if you trust the registry entry and Felo integration; verify the publisher and endpoint before configuring an API key.