ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Search Pro

Agent-first web search and retrieval for live web search, news search, docs lookup, code lookup, company research, site crawl, site map, and structured evide...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
8 · 5.4k · 64 current installs · 65 all-time installs
by@Zjianru
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (live web/news/docs/code search, crawl, extract, research) match the code and declared requirements: Node runtime, optional provider API keys, and a config.json. The engines implemented (ddg, fetch, Exa, Tavily, Serper, SerpAPI, Querit, SearxNG, Perplexity, Brave, You.com, etc.) are consistent with the stated federated-search purpose.
Instruction Scope
SKILL.md and scripts direct the agent to run the included Node scripts, read config.json and optional provider env vars, and perform network fetches and crawls. The files show explicit safeguards (safe-fetch boundary: only http/https, block localhost/private/metadata targets, JS execution disabled for crawls) and use provider-specific APIs only when corresponding env keys are present. The instructions do not request unrelated system data or unrelated credentials.
Install Mechanism
The package is a code-backed Node bundle with no curl-to-shell bootstrap and no external archive downloads in the baseline path. The registry install spec indicates a bundled Node runtime (install.kind: node) and lists 'creates binaries: node' — this is likely a packaging descriptor to ensure Node is available, but you should verify how the registry/installer provides Node (it should not overwrite a system node binary or require elevated privileges).
Credentials
No required credentials are declared; many optional provider keys are listed (TAVILY_API_KEY, EXA_API_KEY, QUERIT_API_KEY, SERPER_API_KEY, BRAVE_API_KEY, SERPAPI_API_KEY, YOU_API_KEY, PERPLEXITY_API_KEY, OPENROUTER_API_KEY, KILOCODE_API_KEY, PERPLEXITY_GATEWAY_API_KEY, PERPLEXITY_BASE_URL, SEARXNG_INSTANCE_URL). These map directly to the implemented provider engines and are proportional to the skill's feature set. The skill also uses a local config.json and a cache directory (.cache/web-search-pro) as declared.
Persistence & Privilege
The skill is not forced-always (always:false) and uses normal autonomous invocation (disable-model-invocation:false). It stores local state under .cache/web-search-pro and reads a local config.json — reasonable for a search/runtime package. There is no evidence it modifies other skills or system-wide agent settings.
Assessment
This package appears to be what it says: a Node-based federated search and crawl runtime. Before installing, consider: 1) Only provide optional API keys for providers you trust — supplying a key lets that third-party service receive your search queries and extracted page content. 2) Confirm how the registry supplies the Node runtime (the install metadata mentions creating a 'node' binary); ensure installation won't overwrite your system node or require elevated privileges. 3) Review or run doctor.mjs/bootstrap.mjs in a sandbox first to inspect configured providers and baseline health. 4) Check config.json and the .cache/web-search-pro directory location if you want to control where state and cached copies of fetched content are stored. If you need higher assurance, review the assertSafeRemoteUrl and web-fetch implementations (they claim to block localhost/private/metadata targets and disable JS execution) or run the skill in an isolated environment.
scripts/crawl.mjs:118
Environment variable access combined with network send.
scripts/engines/brave.mjs:71
Environment variable access combined with network send.
scripts/engines/exa.mjs:8
Environment variable access combined with network send.
scripts/engines/perplexity.mjs:9
Environment variable access combined with network send.
scripts/engines/querit.mjs:14
Environment variable access combined with network send.
scripts/engines/searxng.mjs:11
Environment variable access combined with network send.
scripts/engines/serpapi.mjs:7
Environment variable access combined with network send.
scripts/engines/serper.mjs:8
Environment variable access combined with network send.
scripts/engines/tavily.mjs:8
Environment variable access combined with network send.
scripts/engines/you.mjs:64
Environment variable access combined with network send.
scripts/extract.mjs:125
Environment variable access combined with network send.
scripts/lib/bootstrap.mjs:90
Environment variable access combined with network send.
scripts/lib/config.mjs:487
Environment variable access combined with network send.
scripts/lib/planner.mjs:882
Environment variable access combined with network send.
scripts/lib/providers.mjs:455
Environment variable access combined with network send.
scripts/map.mjs:103
Environment variable access combined with network send.
scripts/review.mjs:85
Environment variable access combined with network send.
!
scripts/lib/config.mjs:117
File read combined with network send (possible exfiltration).
!
scripts/lib/health-state.mjs:82
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.4
Download zip
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
State dirs.cache/web-search-pro
CLI help (from plugin)
node {baseDir}/scripts/search.mjs --help
latestvk97addyfaj89hw6b7h5eca63rh82xs5m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔎 Clawdis
Binsnode
Configconfig.json

Install

Bundled Node skill runtime
Bins: node

Config example

Starter config for this plugin bundle.

{
  env = {
    WEB_SEARCH_PRO_CONFIG = "./config.json";
  };
}

SKILL.md

Web Search Pro 2.1 Core Profile

This ClawHub package publishes the core retrieval profile of web-search-pro. It is a code-backed Node runtime package, not an instruction-only bundle.

Use This Skill When

  • the caller needs live web search or news search
  • the caller needs docs lookup or code lookup
  • the caller may continue from search into extract, crawl, map, or research
  • the agent needs explainable routing and visible federated-search gains
  • the first run needs a real no-key baseline

Quick Start

The shortest successful path is:

  • Option A: No-key baseline
  • Option B: Add one premium provider
  • Then try docs, news, and research

Option A: No-key baseline

No API key is required for the first successful run.

node {baseDir}/scripts/doctor.mjs --json
node {baseDir}/scripts/bootstrap.mjs --json
node {baseDir}/scripts/search.mjs "OpenAI Responses API docs" --json

Option B: Add one premium provider

If you only add one premium provider, start with TAVILY_API_KEY.

export TAVILY_API_KEY=tvly-xxxxx
node {baseDir}/scripts/doctor.mjs --json
node {baseDir}/scripts/search.mjs "latest OpenAI news" --type news --json

First successful searches

node {baseDir}/scripts/search.mjs "OpenClaw web search" --json
node {baseDir}/scripts/search.mjs "OpenAI Responses API docs" --preset docs --plan --json
node {baseDir}/scripts/extract.mjs "https://platform.openai.com/docs" --json

Then try docs, news, and research

node {baseDir}/scripts/search.mjs "OpenAI Responses API docs" --preset docs --json
node {baseDir}/scripts/search.mjs "latest OpenAI news" --type news --json
node {baseDir}/scripts/research.mjs "OpenClaw search skill landscape" --plan --json

Install Model

ClawHub installs this bundle directly as a code-backed Node skill pack.

  • hard runtime requirement: node
  • no remote installer, curl-to-shell bootstrap, or Python helper transport in the baseline path
  • optional runtime config file: config.json
  • local state directory: .cache/web-search-pro

Why Federated Search Matters

Federation is not just "more providers". It exposes compact gain metrics:

  • federated.value.additionalProvidersUsed
  • federated.value.resultsRecoveredByFanout
  • federated.value.resultsCorroboratedByFanout
  • federated.value.duplicateSavings
  • routingSummary.federation.value

Runtime Contract

  • selectedProvider The planner's primary route.
  • routingSummary Compact route explanation with confidence and federation summary.
  • routing.diagnostics Full route diagnostics exposed by --explain-routing or --plan.
  • federated.providersUsed The providers that actually returned results when fanout is active.
  • federated.value Compact federation gain summary for added providers, recovered results, corroboration, and duplicate savings.
  • cached / cache Cache hit plus TTL telemetry for agents.
  • topicType, topicSignals, researchAxes Structured planning summaries for the model-facing research pack.

Commands By Task

Included commands:

  • search.mjs
  • extract.mjs
  • crawl.mjs
  • map.mjs
  • research.mjs
  • doctor.mjs
  • bootstrap.mjs
  • capabilities.mjs
  • review.mjs
  • cache.mjs
  • health.mjs

Runtime notes:

  • Node is the only hard runtime requirement.
  • No API key is required for the baseline.
  • Optional provider credentials or endpoints widen coverage.
  • Baseline outbound requests use curl when available and fall back to built-in fetch.

Baseline:

  • No API key is required for the baseline.
  • ddg is best-effort no-key search.
  • fetch is the no-key extract / crawl / map fallback.

Optional provider credentials or endpoints unlock stronger coverage:

TAVILY_API_KEY=tvly-xxxxx
EXA_API_KEY=exa-xxxxx
QUERIT_API_KEY=xxxxx
SERPER_API_KEY=xxxxx
BRAVE_API_KEY=xxxxx
SERPAPI_API_KEY=xxxxx
YOU_API_KEY=xxxxx
SEARXNG_INSTANCE_URL=https://searx.example.com

# Perplexity / Sonar: choose one transport path
PERPLEXITY_API_KEY=xxxxx
OPENROUTER_API_KEY=xxxxx
OPENROUTER_BASE_URL=https://openrouter.ai/api/v1  # optional override
KILOCODE_API_KEY=xxxxx

# Or use a custom OpenAI-compatible gateway
PERPLEXITY_GATEWAY_API_KEY=xxxxx
PERPLEXITY_BASE_URL=https://gateway.example.com/v1
PERPLEXITY_MODEL=perplexity/sonar-pro  # accepts sonar* or perplexity/sonar*

Review and diagnostics:

node {baseDir}/scripts/capabilities.mjs --json
node {baseDir}/scripts/doctor.mjs --json
node {baseDir}/scripts/bootstrap.mjs --json
node {baseDir}/scripts/review.mjs --json

Search keywords:

web search, news search, latest updates, current events, docs search, API docs, code search, company research, competitor analysis, site crawl, site map, multilingual search, Baidu search, answer-first search, cited answers, explainable routing, no-key baseline

Files

68 total
Select a file
Select a file to preview.

Comments

Loading comments…