volcengine-web-search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward Volcengine web-search wrapper, but it sends queries to Volcengine and uses Volcengine credentials or IAM, so users should review those normal integration risks.
This skill appears safe for its stated purpose if you trust Volcengine and the local veadk dependency. Use scoped credentials, be aware that queries go to Volcengine, and avoid including secrets or sensitive private information in search terms.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search requests may run under the user's Volcengine account or IAM role and could affect account usage, logs, or billing.
The script obtains Volcengine access credentials from environment variables or VeFaaS IAM before signing the API request. This is expected for the integration, but it means the skill uses the user's Volcengine identity.
ak = os.getenv("TOOL_WEB_SEARCH_ACCESS_KEY") ... ak = os.getenv("VOLCENGINE_ACCESS_KEY") ... credential = get_credential_from_vefaas_iam()Use narrowly scoped Volcengine credentials where possible and confirm that using ambient VeFaaS IAM credentials is acceptable.
Any private or sensitive text included in a search query may be visible to the external search provider.
The user-provided query is sent to Volcengine's API endpoint. This is necessary for web search, but users should treat query text as data shared with an external provider.
"Query": query, ... host="mercury.volcengineapi.com"
Avoid putting secrets, confidential documents, or personal data into search queries unless that disclosure is intended.
Running the skill depends on whatever veadk package is available in the local environment.
The script relies on the external veadk package, while the skill has no install spec or declared runtime requirements. This is a provenance and setup detail users should verify.
from veadk.auth.veauth.utils import get_credential_from_vefaas_iam from veadk.utils.volcengine_sign import ve_request
Install veadk only from a trusted source and confirm the local dependency is the expected Volcengine package.