← 返回 Skills 市场
Openclaw Web Search Mcp
作者
nishant-clawit
· GitHub ↗
· v1.0.0
352
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-web-search-mcp
功能描述
Provides AI agents with web search, page and PDF extraction, YouTube transcripts, summarization, semantic search, and automated research workflows.
安全使用建议
This skill appears to implement the advertised browsing and research features but has several red flags you should resolve before installing:
- The YouTube transcript code runs a shell command (yt-dlp) via execSync and calls a hardcoded path (/home/nishu/.local/bin/yt-dlp). Ask the author to (a) remove the hardcoded path, (b) document that yt-dlp is a required external binary (and how to install it), or (c) use a Node library instead. Running unverified shell commands is a risk.
- SKILL.md says 'Google search' but the code scrapes DuckDuckGo. Confirm which search provider you expect and whether scraping is acceptable for your use case.
- mcp.json lists a tool ('crawl_site') that is not implemented; verify the tool list and behavior to ensure there is no hidden functionality.
- Because the code uses execSync and will write temporary files, run this skill in a sandboxed environment (or on an isolated agent) until you validate it. Review/modify the youtubeTranscript code to avoid arbitrary shell execution if you cannot fully trust the package.
If you are not comfortable auditing or modifying the code, do not install this skill in a production or high-privilege agent. Asking the author for corrected packaging and explicit runtime requirements would materially reduce the risk.
功能分析
Type: OpenClaw Skill
Name: openclaw-web-search-mcp
Version: 1.0.0
The skill bundle contains a critical command injection vulnerability in 'extraction/youtubeTranscript.js' where the 'url' input is directly interpolated into an 'execSync' shell command. Additionally, this file uses a hardcoded absolute path to a specific local user's directory ('/home/nishu/.local/bin/yt-dlp'), which is highly irregular for a portable bundle and suggests poor development practices or an environment-specific exploit. While these flaws present a significant RCE risk, they appear to be unintentional vulnerabilities rather than purposefully designed malware, as no exfiltration or persistence logic was identified.
能力评估
Purpose & Capability
Overall functionality (search, page/PDF extraction, transcripts, summarization, embeddings, research) matches the description. However there are mismatches: SKILL.md claims Google search but the code uses DuckDuckGo; mcp.json advertises a 'crawl_site' tool that has no implementation in index.js; package.json lists a 'youtube-transcript' dependency but the code calls an external yt-dlp executable instead. These inconsistencies suggest sloppy packaging or unmet assumptions about the host environment.
Instruction Scope
SKILL.md gives a straightforward CLI usage, but the implementation runs a shell command (child_process.execSync) to invoke a local yt-dlp binary and reads/writes subtitle files in the package directory. The runtime instructions do not declare that yt-dlp is required or that the skill will execute shell commands and touch files, which expands the agent's scope beyond what's documented.
Install Mechanism
There is no packaged install spec beyond 'npm install' (package.json and package-lock.json are provided). Using npm is normal, and dependencies are standard. No remote/external archive downloads are performed by the MCP itself. Still, the code depends on an external non-npm tool (yt-dlp) invoked at runtime, which is not installed via the provided instructions.
Credentials
The skill declares no required environment variables or binaries, yet extraction/youtubeTranscript.js executes a hardcoded absolute path (/home/nishu/.local/bin/yt-dlp). Requiring an external binary but not declaring it is incoherent. The hardcoded path embeds a specific user home (exposing author environment details) and will likely fail or invoke an unexpected binary on other hosts.
Persistence & Privilege
The skill does not request elevated persistence: always:false, no reported changes to other skills or system-wide configuration. It writes a temporary subtitle file inside its directory during transcript extraction, which is limited scope.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-web-search-mcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-web-search-mcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release providing comprehensive web search and research tools for AI agents:
- Google search with structured results
- Web page and PDF text extraction
- YouTube video transcript retrieval
- Summarization and semantic search capabilities
- Automated multi-step research workflows
元数据
常见问题
Openclaw Web Search Mcp 是什么?
Provides AI agents with web search, page and PDF extraction, YouTube transcripts, summarization, semantic search, and automated research workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 352 次。
如何安装 Openclaw Web Search Mcp?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-web-search-mcp」即可一键安装,无需额外配置。
Openclaw Web Search Mcp 是免费的吗?
是的,Openclaw Web Search Mcp 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Web Search Mcp 支持哪些平台?
Openclaw Web Search Mcp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Web Search Mcp?
由 nishant-clawit(@nishant-clawit)开发并维护,当前版本 v1.0.0。
推荐 Skills