ClawHub

bocha-skill

v1.0.0

Search the web using Bocha AI Search API (博查AI搜索) - a Chinese search engine optimized for Chinese content. Requires BOCHA_API_KEY. Supports web pages, images, and news with high-quality summaries.

1· 2.3k·4 current·4 all-time
by@ypw757
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, declared primaryEnv (BOCHA_API_KEY), required binary (node), tool.json, and the node script all align with a simple web-search skill that calls the Bocha API. The code only calls a Bocha endpoint and formats results.
Instruction Scope
Runtime instructions (SKILL.md) stay within the search skill scope: they ask for BOCHA_API_KEY, describe how to configure OpenClaw, and show usage examples. However, documentation files contain a number of minor inconsistencies (different Bocha domain strings appear in README vs script) and the PUBLISH.md file includes an apparent example API key in a test command, which is concerning because it encourages copying/sharing credentials.
Install Mechanism
This is instruction-only from the platform perspective (no platform install spec). The repo includes a small standalone Node.js script with no external dependencies. The publish.sh installs the 'clawdhub' CLI (npm -g) if missing and automates publishing — this is a convenience but will run package manager and network operations if executed, so users should inspect and consent before running it.
!
Credentials
Only BOCHA_API_KEY is required, which is proportionate. However, PUBLISH.md contains a concrete-looking API key string used in a test command. Including an example secret in repository/docs is a red flag: it could be a leftover real key, or encourage users to copy/paste a key into public forums. The skill otherwise does not request unrelated credentials.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide config. SKILL.md shows how to add the API key to OpenClaw config, which is standard. publish.sh interacts with ClawdHub but only for publishing and requires user interaction.
What to consider before installing
This skill appears to be a straightforward Bocha API search wrapper, but take these precautions before installing or running any included scripts: - Do not assume the API key shown in PUBLISH.md is safe to use; treat it as a leaked/example key. Replace it with your own key and verify the example key is invalid before trusting the repository. - Inspect publish.sh before running it: it will install a global npm package (clawdhub) and run clawdhub publish which performs network operations and may require you to supply a publish token. Only run it if you intend to publish and you trust the destination. - Verify the API endpoint you want to use. The code calls https://api.bocha.cn/v1/web-search while some docs reference other domains (api.bocha-ai.com, open.bocha.cn). Confirm with Bocha's official docs which endpoint is correct to avoid misrouting credentials. - Because the skill reads only BOCHA_API_KEY, avoid providing other credentials. Store the key in your environment or OpenClaw config and do not hardcode it into files that may be published. - If you plan to publish this skill publicly, remove/redact any example keys from documentation and rotate any real keys that may have been accidentally committed. If the repository owner can confirm the example key in PUBLISH.md is not valid and fix the inconsistent endpoint references, my confidence would rise and the skill would look benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d2bax2vq272990a32hyqg5n80geyr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
Primary envBOCHA_API_KEY

Comments