← Back to Skills Marketplace

Search Cluster

Name: Search Cluster
Author: 1999azzar

by azzar budiyanto · GitHub ↗ · v3.5.1

cross-platform ⚠ suspicious

1356

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install search-cluster

Description

Aggregated search aggregator using Google CSE, GNews RSS, Wikipedia, Reddit, and Scrapling.

Usage Guidance

This skill appears to do what it claims: aggregate searches across Google CSE, Wikipedia, Reddit, Google News RSS, and a scrapling-based DuckDuckGo scraper. Before installing, consider the following: (1) Run the scrapling provider in a dedicated, isolated virtual environment as instructed and set SCRAPLING_PYTHON_PATH to that venv's python to avoid executing unreviewed code with your system python. (2) The SKILL.md references a scripts/ path while the files are at the repository root — verify the file paths when invoking the tool. (3) The scrapling package executes scraping logic (stealth_fetch.py runs as a subprocess); review that package's source or use network isolation if you don't trust it. (4) Google API keys (if used) and any Redis host you configure should be scoped and protected; REDIS_HOST is optional and only used for caching. (5) If you need higher assurance, inspect the referenced GitHub homepage (skill.json points to a repo) and/or run the code in a sandbox before granting access to any credentials or production networks.

Capability Analysis

Type: OpenClaw Skill Name: search-cluster Version: 3.5.1 The skill is classified as suspicious due to a potential Remote Code Execution (RCE) vulnerability in `search-cluster.py`. The `subprocess.run` call for the `scrapling_search` function uses the `SCRAPLING_PYTHON_PATH` environment variable as the executable path. If an attacker can control this environment variable, they could point it to an arbitrary executable, leading to RCE. While the skill's stated purpose is benign and it includes a prompt injection sanitizer (`internal_sanitize`), this configurable executable path represents a significant security risk, even without clear evidence of intentional malicious exploitation within the skill's own code.

Capability Assessment

✓ Purpose & Capability

Name/description match the implemented behavior: the code queries Google CSE (optional), Wikipedia, Reddit, GNews RSS, and a local scrapling-based scraper. Optional env vars (GOOGLE_*, SCRAPLING_PYTHON_PATH, REDIS_*, SEARCH_USER_AGENT) are appropriate for these providers. Minor inconsistency: registry metadata listed no homepage while skill.json contains a GitHub homepage; SKILL.md refers to scripts/ subpaths (scripts/search-cluster.py, scripts/stealth_fetch.py) but the actual files live at the repository root (search-cluster.py, stealth_fetch.py). This appears to be sloppy documentation rather than functional mismatch.

✓ Instruction Scope

SKILL.md instructs creating a dedicated venv for scrapling and setting SCRAPLING_PYTHON_PATH; the runtime instructions and code keep network activity limited to provider endpoints (Google APIs, Wikipedia, Reddit, Google News RSS, DuckDuckGo via scrapling). The code uses subprocess.run to execute stealth_fetch.py with the query as an argument (explicit, not reading arbitrary files). There are no instructions to read unrelated system files or exfiltrate environment variables.

✓ Install Mechanism

There is no install spec (instruction-only for the platform), which is low risk. SKILL.md requires creating a venv and pip-installing 'scrapling' there; skill.json lists python dependencies ('redis', 'scrapling') and binary 'python3' — this is consistent with the code (redis is optional and only imported when REDIS_HOST is set). No remote arbitrary downloads or extract steps are present.

✓ Credentials

All requested/declared environment variables are proportional and directly tied to functionality: optional Google API credentials for CSE, SCRAPLING_PYTHON_PATH for the scraper venv, REDIS_HOST/PORT for caching, and SEARCH_USER_AGENT for HTTP requests. No unrelated secrets or broad credential requests are present.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and asks for no system-wide configuration or persistent privileges. It executes a local helper script via subprocess but that helper is packaged with the skill; this is expected behavior for the scrapling provider and is limited to the skill's scope.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install search-cluster
After installation, invoke the skill by name or use /search-cluster
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.5.1

V3.5.1: Final flattened structure. All scripts in root to guarantee ClawHub inclusion. Fixed all reported bugs.

v3.4.0

V3.4.0: Fixed Redis recursion bug. Guaranteed inclusion of stealth_fetch.py. 100% manifest sync.

v3.3.0

V3.3.0: FIXED infinite recursion in redis_get. Included missing stealth_fetch.py. Fully synced manifest (Redis, User-Agent).

v3.2.0

V3.2.0: FIXED infinite recursion in redis_get. Included missing stealth_fetch.py. Updated manifest with all environment variables.

v3.1.0

V3.1.0: Full script inclusion, synced manifest (Redis, User-Agent), and clearer provider status.

v3.0.0

V3.0.0: Restoration of Wikipedia and Reddit. Full documentation restored. Industry-standard security and path-neutrality.

v2.9.0

V2.9.0: Restored Wikipedia and Reddit. Hardened security with built-in IPI scrubbing and path-neutrality.

v2.8.1

Final security hardening: fixed metadata manifest, removed cross-skill path coupling, and added built-in IPI protection.

v2.8.0

**Summary:** Adds integrated internal sanitization and optional Redis caching. - Replaces guardian-wall sanitization with a native internal scrubber (Path Neutral). - Adds support for optional Redis-based result caching (set REDIS_HOST). - Updates documentation to reflect new sanitization and caching features.

v2.7.0

- Removed obsolete reference file: references/search-apis.md. - Updated scripts/search-cluster.py (details not provided). - No user-facing documentation changes in SKILL.md for this version.

v2.6.0

**Summary: Improved provider setup, security details, and documentation.** - Updated documentation to clarify installation steps for the scrapling provider. - Enhanced security posture section: clarified subprocess isolation and automatic sanitization. - Added explicit environment variable instructions, including GUARDIAN_WALL_PATH. - Improved and clarified provider descriptions. - Output format and workflow steps highlighted for user guidance.

v2.4.0

- Updated scripts/search-cluster.py with internal improvements. - No visible user-facing changes or updates to documentation.

v2.3.0

- Updated scripts/search-cluster.py. - No user-facing changes documented in SKILL.md.

v2.2.0

**Search Cluster v2.2.0 — Security and Integrity Improvements** - Removed dynamic Python code execution; now uses secure subprocess argument passing. - Enforced strict SSL/TLS verification for all external network calls. - Eliminated reliance on hard-coded workspace paths for better portability. - Updated SKILL.md: clarified provider list, streamlined requirements, and modernized documentation. - Added `stealth_fetch.py` script for enhanced stealth scraping capabilities.

v2.1.0

**Security and configuration improvements in version 2.1.0:** - Added code-injection protection by sanitizing and escaping queries before execution. - Enforced SSL verification for all API requests to enhance transport security. - Updated documentation to clarify required and optional environment variables for configuration. - Ensured all search results are formatted as JSON objects with clear source, title, link, and snippet fields. - Strengthened workflow instructions for sanitizing outputs with the guardian-wall skill.

v2.0.0

Version 2.0.0 brings a major overhaul focused on stealth scraping and real-time aggregation across multiple web sources. - Introduced "Scrapling" stealth scraping and Google News (GNews) RSS as primary search mechanisms for enhanced coverage and evasion of anti-bot systems. - Updated source lineup: now supports Scrapling, GNews, Google CSE, Wikipedia, and Reddit, each optimized for specific information types. - Requires a new Python virtual environment and dependencies tailored for stealth operations. - All search results are now recommended to be passed through the `guardian-wall` skill for secure content sanitization. - Documentation overhauled to reflect new workflow, source priorities, and technical requirements.

v1.1.2

Addressed audit findings: removed unverified SSL fallback, declared all required environment variables in metadata, and standardized documentation.

v1.1.1

Fix SSL verification issue on minimal environments

v1.1.0

Add NewsAPI support for latest news search

v1.0.2

search-cluster 1.0.2 - Minor changes made to scripts/search-cluster.py. - No updates to documentation or usage in SKILL.md.

Metadata

Slug search-cluster

Version 3.5.1

License —

All-time Installs 7

Active Installs 7

Total Versions 22

Frequently Asked Questions

What is Search Cluster?

Aggregated search aggregator using Google CSE, GNews RSS, Wikipedia, Reddit, and Scrapling. It is an AI Agent Skill for Claude Code / OpenClaw, with 1356 downloads so far.

How do I install Search Cluster?

Run "/install search-cluster" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Search Cluster free?

Yes, Search Cluster is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Search Cluster support?

Search Cluster is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Search Cluster?

It is built and maintained by azzar budiyanto (@1999azzar); the current version is v3.5.1.

More Skills