← Back to Skills Marketplace
193
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install yula-web-search
Description
Yula's custom web search - NO API KEY required. Uses multiple fallback search methods with public services that allow anonymous access. Works by direct curl...
Usage Guidance
This skill does what it says—scrape search engines and fetch the top result pages—but it has no safeguards. Before installing, consider the following: (1) It will make HTTP requests from your environment to arbitrary URLs returned by search results; this can reach internal services (localhost, private IP ranges, cloud metadata endpoints like 169.254.169.254) and inadvertently leak sensitive data. (2) The skill scrapes search engines directly, which may violate the search provider's terms or be blocked. (3) There is no allowlist/denylist, no robots.txt handling, no user confirmation step, and no rate limiting. Recommended mitigations: install only if you trust the skill source; require the author to add explicit safety checks (block private IP ranges and cloud metadata addresses, enforce domain allowlist, limit number and size of fetched pages, ask for user confirmation before fetching pages, and respect robots.txt/ToS); or run the skill in an isolated network sandbox or through a vetted proxy/browsing service. If you cannot obtain those assurances, do not enable autonomous invocation for this skill and prefer solutions that use official search APIs or a trusted remote browsing proxy.
Capability Analysis
Type: OpenClaw Skill
Name: yula-web-search
Version: 1.0.1
The skill implements a web search and content extraction tool by scraping Bing and Google via shell commands. It is classified as suspicious due to a significant shell injection vulnerability in SKILL.md, where the $QUERY variable is directly embedded into a python3 -c command string without adequate escaping, potentially allowing arbitrary command execution if the query contains single quotes or shell metacharacters. While the behavior aligns with the stated purpose and no intentional data exfiltration was found, the reliance on 'curl | python3' execution patterns and lack of input sanitization pose a high security risk.
Capability Assessment
Purpose & Capability
Required binaries (curl, python3) and the stated behavior (HTML scraping, text extraction, summarization) are coherent with a web-scraping/search skill. However, the skill relies on scraping search engines (cn.bing.com, google.com) and then fetching arbitrary result pages — a more powerful capability than a simple query-only search and one that can have legal/ToS implications.
Instruction Scope
SKILL.md explicitly instructs the agent to (a) curl search engine HTML, (b) parse and extract result URLs, and (c) curl and extract full content from the top 2–3 result URLs with no domain allowlist, denylist, or checks. This permits requests to arbitrary hosts (including localhost, private IPs, and cloud metadata endpoints) and exfiltration of any fetched content. There are no safeguards (no robots.txt handling, no private-IP blocking, no user consent step, no rate limiting), and scraping search engines directly may be blocked or violate terms of service.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer, which reduces persistence concerns.
Credentials
The skill requests no credentials or config paths (proportionate). But despite lacking declared secrets, its runtime behavior uses the local environment's network to fetch arbitrary external/internal URLs, which is a capability that can access sensitive network resources even without env-var access.
Persistence & Privilege
always:false (not force-included). disable-model-invocation is false (agent may autonomously invoke the skill when triggered), which is platform-default. Autonomous invocation combined with unrestricted fetching increases blast radius — consider requiring explicit user confirmation before performing network fetches or disabling autonomous invocation for this skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yula-web-search - After installation, invoke the skill by name or use
/yula-web-search - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
1.0.1: Add correct metadata, improve README
v1.0.0
No API key required web search for OpenClaw. Uses local
Bing search via curl, automatically extracts content from top results and
summarizes. Perfectly optimized for Chinese language queries.
Metadata
Frequently Asked Questions
What is yula-web-search?
Yula's custom web search - NO API KEY required. Uses multiple fallback search methods with public services that allow anonymous access. Works by direct curl... It is an AI Agent Skill for Claude Code / OpenClaw, with 193 downloads so far.
How do I install yula-web-search?
Run "/install yula-web-search" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is yula-web-search free?
Yes, yula-web-search is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does yula-web-search support?
yula-web-search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created yula-web-search?
It is built and maintained by yula (@wjzhb); the current version is v1.0.1.
More Skills