Bocha Web Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a normal Bocha search connector, but it will send your queries or reranker documents to Bocha using your API key.
This skill appears coherent and purpose-aligned for Bocha search. Before installing, understand that it requires a Bocha API key and transmits your search queries or reranker documents to Bocha; do not use it with sensitive data unless that is acceptable for your workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide a Bocha API key, and requests will be billed or authorized under that Bocha account according to Bocha's rules.
The script retrieves a Bocha API key from the environment or config file and uses it for authenticated API requests. This is purpose-aligned, but it is still account credential use.
if (process.env.BOCHA_API_KEY?.trim()) return process.env.BOCHA_API_KEY.trim(); ... Authorization: `Bearer ${apiKey}`Use a dedicated Bocha key with the minimum needed permissions, store it securely, and rotate it if it may have been exposed.
Search queries and any documents supplied through --raw-json may be processed by the Bocha service.
The script sends the constructed query or raw JSON payload to Bocha API endpoints. This is expected for a search/rerank connector, but it means user-provided content leaves the local environment.
case 'rerank': return 'https://api.bochaai.com/v1/semantic-reranker'; ... body: JSON.stringify(payload)
Avoid sending secrets, private documents, regulated data, or sensitive business information unless you are comfortable sharing it with Bocha under its terms.
Running the shortcut search script executes included Node.js code locally.
The helper starts the included bocha.mjs script with a fixed argument array. This is a local wrapper for the documented search function rather than arbitrary shell execution.
const ret = spawnSync(process.execPath, [bochaPath, 'web', '--query', query, '--count', String(count), '--pretty'], {Review the included scripts before use if you do not trust the publisher; no hidden or unrelated command execution is shown in the provided files.