Is web-search-plus safe?

https://clawhub.ai/robbyczgw-cla/web-search-plus

72
CAUTION

Web Search Plus is a legitimate multi-provider search skill with well-structured documentation and functional SSRF protections. However, filesystem monitoring reveals concerning access to sensitive files during installation (.aws/credentials, auth-profiles.json, .env), and the executable Python scripts run with full host permissions and network access. The incomplete source code prevents full verification of all code paths. No prompt injection, canary tampering, or malicious network activity was detected.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH AWS credentials file accessed during install -30

Filesystem monitoring detected that /home/oc-exec/.aws/credentials was opened and read during the skill installation/loading process. A search skill has no legitimate need to access AWS credentials. While this may be caused by the OpenClaw framework loader rather than the skill code itself, the skill's execution context has access to this sensitive file.

MEDIUM Multiple sensitive config files read during install -15

The install process read .env, openclaw.json, auth-profiles.json, .profile, and .bashrc — files that commonly contain API keys, authentication tokens, and environment configuration. The skill's _load_env_file() explicitly loads .env contents into the process environment.

MEDIUM Network-capable Python scripts executed on host -20

The skill requires executing Python scripts that make HTTP requests to external APIs. While this is the intended search functionality, it means arbitrary Python code runs with the user's permissions and network access. The setup.py also makes outbound connections for SearXNG instance validation.

LOW SSRF escape hatch via SEARXNG_ALLOW_PRIVATE -10

The _validate_searxng_url() function blocks private/internal IPs by default but provides a SEARXNG_ALLOW_PRIVATE=1 environment variable override. If a user sets this (as documented in SKILL.md), the SSRF protection is fully disabled, allowing requests to internal network services.

LOW Incomplete source code prevents full analysis -10

The search.py source code is truncated mid-class (QueryAnalyzer RESEARCH_SIGNALS). The full execution paths for all providers, the actual HTTP request construction, response handling, and any potential data leakage in error paths cannot be fully verified.

INFO Clean SKILL.md with no agent manipulation -5

SKILL.md contains straightforward documentation with usage instructions, provider comparisons, and configuration examples. No hidden instructions, persona overrides, or prompt injection techniques detected.

INFO Search queries as potential exfiltration channel -10

Once active, the skill sends user-controlled queries to external APIs. In a multi-skill environment, another compromised skill could instruct the agent to perform searches containing encoded sensitive data, using this skill as an unwitting exfiltration channel.