ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bocha Web Search

v1.0.2

统一封装博查(Bocha)全系搜索接口(Web Search / AI Search / Agent Search / Reranker),使用 Node.js 脚本调用并支持标准参数与原始 JSON 透传。用户提到“博查搜索/联网搜索/AI 搜索/Agent 搜索/重排/rerank/事实核查/行业研报检索”时使用。

1· 535·5 current·5 all-time
byLucas@yikailucas·fork of @iuriak/bocha-web-search (1.0.1)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and implementation align: the scripts call Bocha search endpoints (web/ai/agent/reranker) and expose parameters the SKILL.md documents. The code only targets api.bochaai.com endpoints, which matches the declared purpose.
Instruction Scope
SKILL.md tells the agent to run the included Node/Bash scripts and to provide an API key via BOCHA_API_KEY or a local config.json. The scripts only read that config or env var, build a JSON payload, and POST to the Bocha API. One scope note: the --raw-json option allows callers to pass arbitrary JSON that will be merged and sent to the external API — this is expected for advanced use but means the caller must avoid embedding secrets or unrelated data in queries.
Install Mechanism
There is no install spec; this is a script bundle intended to be run directly. No network downloads or package installs occur during setup, and the code itself is not obfuscated. Requires a Node runtime present on the host.
!
Credentials
The skill requires a Bocha API key at runtime (BOCHA_API_KEY or skills/bocha-web-search/config.json), but the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: the skill will fail without providing a sensitive secret, and the metadata does not surface that requirement. Apart from that single API key, no other credentials or unrelated env vars are accessed.
Persistence & Privilege
The skill does not request permanent/always-enabled presence, does not modify other skills' settings, and does not write to system-wide config. The only file it suggests creating is a local skills/bocha-web-search/config.json to store the API key (local persistent file).
What to consider before installing
This skill is a straightforward client for the Bocha search APIs and will send your queries (and any JSON you pass with --raw-json) to https://api.bochaai.com. Before installing: 1) Be aware you must provide BOCHA_API_KEY (either as BOCHA_API_KEY env var or a local skills/bocha-web-search/config.json) — the registry metadata failing to declare this is an inconsistency you should note. 2) Do not include secrets or unrelated private data in queries or in --raw-json, since those values are transmitted to an external service. 3) Verify you trust the Bocha service and restrict the API key’s permissions/rotation as appropriate; store config.json with tight filesystem permissions. 4) Ensure Node is available in the environment. If you need stronger assurances, ask the publisher for a homepage/contact, or run the scripts in a sandbox and monitor outbound requests to confirm they go only to api.bochaai.com.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxbt3qcmp660cfnk4c8hb0x827wts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments