OpenClaw Code Search

Provides fast, read-only codebase search and exploration using grep for content, glob for filenames, and tree for directory structure with filtering and limits.

This skill appears to be a straightforward, read-only code search wrapper around ripgrep/fd/tree. Before installing or using it: (1) Ensure you trust the agent workspace path used in examples (/root/.openclaw/...) or change it to a safe directory — the script will read any path you give it and could expose sensitive files if asked to search system or home directories; (2) The script checks for rg/fd/tree but does not install them automatically — DESIGN.md suggests curl downloads from GitHub releases if needed; only run those manual install commands if you trust the source and checksum; (3) The shell script parses rg --json using awk in a simplistic way (not a security issue per se, but parsing could mis-handle edge cases); (4) Autonomous agent invocation is allowed by default — if you want to limit when the agent can run filesystem searches, keep the skill user-invocable only or adjust agent policies. Overall the skill is coherent with its stated purpose, but avoid pointing it at directories containing secrets unless you intend to expose that data.

Type: OpenClaw Skill Name: openclaw-code-search Version: 1.0.0 The skill provides benign code search functionality using standard CLI tools (ripgrep, fd, tree), and explicitly states it's read-only. However, the `scripts/search.sh` script directly passes user-controlled input (e.g., search patterns, paths) to these external commands, which, while generally robust, presents a potential shell injection vulnerability. Additionally, the dependency check in `scripts/search.sh` suggests installing tools via `curl | tar | cp` from external GitHub URLs, introducing a supply chain risk if those sources were ever compromised.