← 返回 Skills 市场
Claw Search
作者
yuanchao193
· GitHub ↗
· v1.0.3
· MIT-0
368
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install claw-search
功能描述
提供免费通用 Web 搜索 API 服务,支持多后端兼容,无需 API Key,快速响应,适合 AI Agent 集成使用。
使用说明 (SKILL.md)
Claw Search 🔍
通用免费的 Web Search API 服务,专为 AI Agents 设计。
功能
- 🔍 Web 搜索 - 类似 Brave Search 的 Web Search API
- 🌐 通用兼容 - 兼容 OpenClaw、Claude Code 等各种 Agent
- 🔑 无需 API Key - 使用 skillhub 后端,无需申请
- 🚀 快速响应 - 优化的搜索体验
- 🐳 Docker 部署 - 一键部署到任意服务器
API 使用
Web 搜索
curl -X POST https://api.claw-search.com/api/search \
-H "Content-Type: application/json" \
-d '{"query": "openclaw ai agent", "count": 10}'
搜索结果示例
{
"query": "openclaw ai agent",
"count": 5,
"results": [
{
"title": "openclaw-backup",
"url": "https://clawhub.com/skill/openclaw-backup",
"description": "OpenClaw Backup",
"age": ""
}
]
}
API 参数
| 参数 | 类型 | 必填 | 说明 |
|---|---|---|---|
| query | string | 是 | 搜索关键词 |
| count | number | 否 | 返回结果数量 (默认 10, 最大 20) |
| offset | number | 否 | 分页偏移 |
| country | string | 否 | 国家代码 (默认 CN) |
| freshness | string | 否 | 时间范围: pd(天), pw(周), pm(月), py(年) |
部署
Docker 部署 (推荐)
# 克隆或下载项目
cd claw-search
# 启动服务
docker-compose up -d
# 测试
curl https://api.claw-search.com/health
手动部署
# 安装依赖
npm install
# 启动服务
PORT=8080 npm start
环境变量
| 变量 | 说明 |
|---|---|
| PORT | 服务端口 (默认 8080) |
| TAVILY_API_KEY | Tavily API Key (可选) |
| BRAVE_API_KEY | Brave Search API Key (可选) |
OpenClaw Skill 调用
node {baseDir}/scripts/search.mjs "搜索关键词"
node {baseDir}/scripts/search.mjs "搜索关键词" -n 10
支持的后端
- skillhub (默认,免费) - 搜索 ClawHub 技能
- tavily (需要 API Key) - AI 优化的通用搜索
- brave (需要 API Key) - Brave Search
上传到 ClawHub
clawhub publish
License
MIT
安全使用建议
This skill is plausible as a search aggregator, but I recommend caution before installing or running it on any machine you care about:
- Review and mitigate shell-injection risk: server/search.js uses execSync with user-supplied query (executes `skillhub search "<query>"`). Treat queries as untrusted input and avoid executing them in a shell; prefer spawn with argument arrays or sanitize/escape inputs.
- Confirm required binaries and runtimes: the code expects Chromium at /usr/bin/chromium-browser, Node + npm (to install puppeteer), and the 'skillhub' CLI; a Python Flask stack appears too. These are not declared in metadata — install in an isolated environment (container) if you test.
- Audit third-party dependencies and sources: package-lock references a non-default npm mirror; if you plan to run npm install, consider pinning/inspecting packages and fetching from trusted registries.
- Watch filesystem access: server-v2.js reads an absolute path under /root/.openclaw/workspace/..., and the service writes /tmp/claw-search-stats.json. Ensure the service cannot access sensitive host files and run inside a sandbox (container with limited mounts) if installed.
- If you need the skill for agent usage, prefer self-hosting in an isolated container (no access to host secrets), or ask the author to: (a) declare required binaries/py deps, (b) remove direct exec of user-controlled strings or properly escape arguments, (c) avoid hard-coded absolute paths and document data locations.
Given the mismatches and the exploitable pattern (shell exec with unsanitized input), treat this skill as suspicious until the above issues are resolved or you perform an operational audit in a safe environment.
功能分析
Type: OpenClaw Skill
Name: claw-search
Version: 1.0.3
The skill bundle contains a critical shell injection vulnerability in 'server/search.js', where the 'searchSkillhub' function passes unsanitized user-controlled search queries directly into 'execSync'. This allows for Remote Code Execution (RCE) via queries containing shell metacharacters. Additionally, 'server-v2.js' relies on hardcoded absolute paths in the root directory and executes Puppeteer with the '--no-sandbox' flag, which significantly weakens container security. While the bundle appears to be a functional search tool, these high-risk implementation flaws represent a major security liability.
能力评估
Purpose & Capability
The skill claims a lightweight, no-API-key search API, but the shipped code needs additional runtime components that are not declared: (1) Node code uses puppeteer/puppeteer-core and expects a Chromium binary at /usr/bin/chromium-browser; (2) a Python frontend (search-frontend/server.py) requires Flask, requests, BeautifulSoup, but Python deps are not documented; (3) server/search.js calls an external 'skillhub' CLI via execSync. These binaries/libraries are plausible for a scraping-based search service, but the skill metadata declared no required binaries or install steps — that mismatch is concerning.
Instruction Scope
The SKILL.md gives general deploy/run instructions only, but the runtime instructions in the code go beyond that surface: server/search.js executes `skillhub search "<query>"` (execSync) which runs a local binary with user-supplied input (risk of shell injection and requires 'skillhub' to exist). server-v2.js reads a hard-coded absolute path under /root/.openclaw/workspace/... to load data, indicating the code expects access to the agent's workspace filesystem. Multiple components perform web scraping (puppeteer, requests) — all of which are coherent with a search aggregator but the SKILL.md does not warn about required native/browser binaries or the local-exec behavior.
Install Mechanism
There is no install spec in registry metadata (instruction-only), but repository includes package.json and package-lock.json and expects npm install; package-lock entries resolve via a Tencent mirror (mirrors.tencentyun.com). Relying on npm install will pull many dependencies (puppeteer and its browser tooling are large). The absence of a declared install mechanism plus use of puppeteer and a non-default mirror are operational / supply-chain risks to review before installing.
Credentials
SKILL.md lists a small set of optional env vars (PORT, TAVILY_API_KEY, BRAVE_API_KEY) and the scripts reference CLAW_SEARCH_URL. There are no broad credentials requested. However, the code expects system binaries (chromium, skillhub) and reads/writes local files (/tmp/claw-search-stats.json, /root/.openclaw/...). Those filesystem accesses are not declared in metadata and may expose more of the host environment than the README implies.
Persistence & Privilege
Skill does not set always:true and does not request elevated platform privileges in the metadata. It does, however, contain server code that will run as a persistent service when deployed (docker-compose), which is expected for a search API but means it will run continuously and have filesystem/network access as shown in the code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install claw-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/claw-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
更新到最新版本
v1.0.2
- Updated all example API endpoints to use the public https://api.claw-search.com instead of localhost for easier access.
- Adjusted health check and deployment instructions to reflect the new endpoint.
v1.0.1
- Updated public/index.html (details not specified).
- No changes to documentation or feature list in SKILL.md.
v1.0.0
Claw Search 1.0.0 初始发布
- 提供通用免费 Web 搜索 API,无需 API Key,专为 AI Agents 设计
- 支持 OpenClaw、Claude Code 等多种 Agent,无缝对接
- 提供 Docker 一键部署与手动部署两种方式
- 可选择 skillhub (默认、免费)、Tavily、Brave 多种搜索后端
- 支持多参数自定义:关键词、结果数、分页、国家、时间范围
- 丰富 API 文档和使用示例
元数据
常见问题
Claw Search 是什么?
提供免费通用 Web 搜索 API 服务,支持多后端兼容,无需 API Key,快速响应,适合 AI Agent 集成使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 368 次。
如何安装 Claw Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install claw-search」即可一键安装,无需额外配置。
Claw Search 是免费的吗?
是的,Claw Search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Claw Search 支持哪些平台?
Claw Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Claw Search?
由 yuanchao193(@yuanchao193)开发并维护,当前版本 v1.0.3。
推荐 Skills