Code Search
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent, read-only code search helper, but users should notice that it runs a shell script and can read files under the paths it is asked to search.
This looks suitable for read-only codebase exploration. Before installing, confirm the local search tools come from trusted sources and use explicit project paths so the agent does not search unrelated or sensitive directories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the search script locally to inspect code or directory structure.
The skill is designed to invoke a bundled shell script and external CLI tools. This is expected for code search, but it is still local command execution that users should be aware of.
bash /root/.openclaw/workspace/skills/code-search/scripts/search.sh <command> [options]
Use the skill only in workspaces where local code search is intended, and keep searches scoped with the --path option.
If directed broadly, the skill could display matching content or file names from directories beyond the intended codebase.
The search path is user-controllable and could be pointed outside the intended project. The behavior is documented and read-only, so this is a scope-awareness note rather than a concern.
--path <dir> — Search directory (default: current dir)
Provide explicit project paths and avoid broad filesystem roots unless that is intended.
The skill may fail until the expected local tools are installed, and any manual dependency installation should be verified by the user.
The registry metadata does not declare runtime dependencies, while the skill documentation and script rely on rg, fd, and tree. The script checks for them rather than installing them automatically.
Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Confirm ripgrep, fd, and tree are already installed from trusted sources before use.
Search results may include sensitive code snippets or text that could try to influence the agent if treated as instructions.
The script returns raw matched file lines to the agent. That is central to code search, but repository content should be treated as untrusted data rather than instructions.
printf " %s: %s\n", line_num, line_text
Treat returned file contents as data and avoid searching directories containing secrets unless necessary.