← Back to Skills Marketplace
Openclaw Web Search Mcp
by
nishant-clawit
· GitHub ↗
· v1.0.0
352
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-web-search-mcp
Description
Provides AI agents with web search, page and PDF extraction, YouTube transcripts, summarization, semantic search, and automated research workflows.
Usage Guidance
This skill appears to implement the advertised browsing and research features but has several red flags you should resolve before installing:
- The YouTube transcript code runs a shell command (yt-dlp) via execSync and calls a hardcoded path (/home/nishu/.local/bin/yt-dlp). Ask the author to (a) remove the hardcoded path, (b) document that yt-dlp is a required external binary (and how to install it), or (c) use a Node library instead. Running unverified shell commands is a risk.
- SKILL.md says 'Google search' but the code scrapes DuckDuckGo. Confirm which search provider you expect and whether scraping is acceptable for your use case.
- mcp.json lists a tool ('crawl_site') that is not implemented; verify the tool list and behavior to ensure there is no hidden functionality.
- Because the code uses execSync and will write temporary files, run this skill in a sandboxed environment (or on an isolated agent) until you validate it. Review/modify the youtubeTranscript code to avoid arbitrary shell execution if you cannot fully trust the package.
If you are not comfortable auditing or modifying the code, do not install this skill in a production or high-privilege agent. Asking the author for corrected packaging and explicit runtime requirements would materially reduce the risk.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-web-search-mcp
Version: 1.0.0
The skill bundle contains a critical command injection vulnerability in 'extraction/youtubeTranscript.js' where the 'url' input is directly interpolated into an 'execSync' shell command. Additionally, this file uses a hardcoded absolute path to a specific local user's directory ('/home/nishu/.local/bin/yt-dlp'), which is highly irregular for a portable bundle and suggests poor development practices or an environment-specific exploit. While these flaws present a significant RCE risk, they appear to be unintentional vulnerabilities rather than purposefully designed malware, as no exfiltration or persistence logic was identified.
Capability Assessment
Purpose & Capability
Overall functionality (search, page/PDF extraction, transcripts, summarization, embeddings, research) matches the description. However there are mismatches: SKILL.md claims Google search but the code uses DuckDuckGo; mcp.json advertises a 'crawl_site' tool that has no implementation in index.js; package.json lists a 'youtube-transcript' dependency but the code calls an external yt-dlp executable instead. These inconsistencies suggest sloppy packaging or unmet assumptions about the host environment.
Instruction Scope
SKILL.md gives a straightforward CLI usage, but the implementation runs a shell command (child_process.execSync) to invoke a local yt-dlp binary and reads/writes subtitle files in the package directory. The runtime instructions do not declare that yt-dlp is required or that the skill will execute shell commands and touch files, which expands the agent's scope beyond what's documented.
Install Mechanism
There is no packaged install spec beyond 'npm install' (package.json and package-lock.json are provided). Using npm is normal, and dependencies are standard. No remote/external archive downloads are performed by the MCP itself. Still, the code depends on an external non-npm tool (yt-dlp) invoked at runtime, which is not installed via the provided instructions.
Credentials
The skill declares no required environment variables or binaries, yet extraction/youtubeTranscript.js executes a hardcoded absolute path (/home/nishu/.local/bin/yt-dlp). Requiring an external binary but not declaring it is incoherent. The hardcoded path embeds a specific user home (exposing author environment details) and will likely fail or invoke an unexpected binary on other hosts.
Persistence & Privilege
The skill does not request elevated persistence: always:false, no reported changes to other skills or system-wide configuration. It writes a temporary subtitle file inside its directory during transcript extraction, which is limited scope.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-web-search-mcp - After installation, invoke the skill by name or use
/openclaw-web-search-mcp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release providing comprehensive web search and research tools for AI agents:
- Google search with structured results
- Web page and PDF text extraction
- YouTube video transcript retrieval
- Summarization and semantic search capabilities
- Automated multi-step research workflows
Metadata
Frequently Asked Questions
What is Openclaw Web Search Mcp?
Provides AI agents with web search, page and PDF extraction, YouTube transcripts, summarization, semantic search, and automated research workflows. It is an AI Agent Skill for Claude Code / OpenClaw, with 352 downloads so far.
How do I install Openclaw Web Search Mcp?
Run "/install openclaw-web-search-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Web Search Mcp free?
Yes, Openclaw Web Search Mcp is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Web Search Mcp support?
Openclaw Web Search Mcp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Web Search Mcp?
It is built and maintained by nishant-clawit (@nishant-clawit); the current version is v1.0.0.
More Skills