openclaw-search-pro Security Report — Low Risk | ClawSafe

18 /100

openclaw-search-pro

Multi-engine search aggregation tool supporting Bing, Sogou, 360, DuckDuckGo, Baidu, and Tavily

A legitimate multi-engine search aggregation tool with minor doc-to-code mismatch in extract.py but no malicious behavior detected.

Skill Nameopenclaw-search-pro

Duration59.3s

Enginepi

✓

Safe to install

Approve for use. Document the incomplete extract.py content extraction feature in SKILL.md. Consider pinning axios dependency to avoid potential HTTPoxy risks.

Findings 3 items

Severity	Finding	Location
Low	Content extraction feature not implemented Doc Mismatch SKILL.md claims extract.py extracts URL content, but the script only validates URLs without performing any HTTP fetch. The script prints placeholder code showing how to use requests/BeautifulSoup but doesn't actually call them. `print('提示：完整功能需要集成 web_fetch 或 requests + BeautifulSoup')` → Either implement the content extraction feature or update SKILL.md to reflect that extract.py only performs URL validation, not content extraction.	`scripts/extract.py:105`
Low	extract.js output incomplete extraction info Doc Mismatch The Node.js version extract.js has actual axios fetch logic but the output says '提取内容摘要（前500字符）' without showing actual extracted content in the print statement at line 144. `console.log(text.substring(0, 500)...)` → Ensure extract.js properly shows extracted content in output.	`scripts/extract.js:144`
Info	Non-standard private IP range Supply Chain The PRIVATE_NETWORKS array uses 120.0.0.0 which is not a standard RFC1918 or link-local range. This appears to be used for security checks, but the range is unusual. `{ start: '120.0.0.0', end: '120.255.255.255' }` → Remove 120.0.0.0 range unless there's a specific justification for blocking this range.	`scripts/extract.js:22`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All scripts use requests/axios for HTTP GET/POST to search engines
Filesystem	`READ`	`READ`	✓ Aligned	Only reads config/search-config.json for API keys
Shell	`NONE`	`NONE`	—	No subprocess/os.system calls found
Environment	`NONE`	`NONE`	—	No os.environ access or credential harvesting

4 High 69 findings

📡

High IP Address 硬编码 IP 地址

172.31.255.255

scripts/extract.js:18

📡

High IP Address 硬编码 IP 地址

169.254.0.0

scripts/extract.js:22

📡

High IP Address 硬编码 IP 地址

169.254.255.255

scripts/extract.js:22

📡

High IP Address 硬编码 IP 地址

120.0.0.0

scripts/extract.js:122

🔗

Medium External URL 外部 URL

https://ai.baidu.com/tech/search

BAIDU-API-GUIDE.md:7

🔗

Medium External URL 外部 URL

https://console.bce.baidu.com/

BAIDU-API-GUIDE.md:106

🔗

Medium External URL 外部 URL

https://ai.baidu.com/ai-doc/SEARCH

BAIDU-API-GUIDE.md:107

🔗

Medium External URL 外部 URL

https://www.microsoft.com/en-us/bing/apis/bing-web-search-api

README.md:183

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/asynckit/-/asynckit-0.4.0.tgz

package-lock.json:26

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/axios/-/axios-1.13.6.tgz

package-lock.json:32

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/boolbase/-/boolbase-1.0.0.tgz

package-lock.json:43

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:49

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cheerio/-/cheerio-1.2.0.tgz

package-lock.json:62

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cheerio-select/-/cheerio-select-2.1.0.tgz

package-lock.json:87

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/combined-stream/-/combined-stream-1.0.8.tgz

package-lock.json:104

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/css-select/-/css-select-5.2.2.tgz

package-lock.json:116

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/css-what/-/css-what-6.2.2.tgz

package-lock.json:132

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/delayed-stream/-/delayed-stream-1.0.0.tgz

package-lock.json:144

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dom-serializer/-/dom-serializer-2.0.0.tgz

package-lock.json:153

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/domelementtype/-/domelementtype-2.3.0.tgz

package-lock.json:167

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/domhandler/-/domhandler-5.0.3.tgz

package-lock.json:179

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/domutils/-/domutils-3.2.2.tgz

package-lock.json:194

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:208

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/encoding-sniffer/-/encoding-sniffer-0.2.1.tgz

package-lock.json:222

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/entities/-/entities-4.5.0.tgz

package-lock.json:235

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:247

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:256

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:265

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz

package-lock.json:277

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/follow-redirects/-/follow-redirects-1.15.11.tgz

package-lock.json:292

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/form-data/-/form-data-4.0.5.tgz

package-lock.json:312

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:328

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:337

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:361

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:374

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:386

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz

package-lock.json:398

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:413

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/htmlparser2/-/htmlparser2-10.1.0.tgz

package-lock.json:425

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/entities/-/entities-7.0.1.tgz

package-lock.json:444

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.6.3.tgz

package-lock.json:456

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:468

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.52.0.tgz

package-lock.json:477

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-2.1.35.tgz

package-lock.json:486

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/nth-check/-/nth-check-2.1.1.tgz

package-lock.json:498

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parse5/-/parse5-7.3.0.tgz

package-lock.json:510

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parse5-htmlparser2-tree-adapter/-/parse5-htmlparser2-tree-adapter-7.1.0.tgz

package-lock.json:522

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parse5-parser-stream/-/parse5-parser-stream-7.1.2.tgz

package-lock.json:535

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/entities/-/entities-6.0.1.tgz

package-lock.json:547

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz

package-lock.json:559

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz

package-lock.json:565

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/undici/-/undici-7.24.4.tgz

package-lock.json:571

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz

package-lock.json:580

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/whatwg-mimetype/-/whatwg-mimetype-4.0.0.tgz

package-lock.json:592

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/oauth/2.0/token

scripts/baidu_search.py:30

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/rpc/2.0/kg/v1/cognitive/get_sp?sp_id=5006

scripts/baidu_search.py:31

🔗

Medium External URL 外部 URL

https://m.baidu.com/s

scripts/baidu_search.py:136

🔗

Medium External URL 外部 URL

https://html.duckduckgo.com/html/

scripts/custom_search.py:129

🔗

Medium External URL 外部 URL

https://api.bing.microsoft.com/v7.0/search

scripts/custom_search.py:163

🔗

Medium External URL 外部 URL

https://api.tavily.com/search

scripts/custom_search.py:215

🔗

Medium External URL 外部 URL

https://cn.bing.com/search

scripts/fallback_search.py:70

🔗

Medium External URL 外部 URL

https://m.sogou.com/web

scripts/fallback_search.py:112

🔗

Medium External URL 外部 URL

https://www.sogou.com/sogou?query=

scripts/fallback_search.py:130

🔗

Medium External URL 外部 URL

https://cn.bing.com/search?q=$

scripts/free-search.js:32

🔗

Medium External URL 外部 URL

https://www.sogou.com/web?query=$

scripts/free-search.js:68

🔗

Medium External URL 外部 URL

https://www.sogou.com

scripts/free-search.js:81

🔗

Medium External URL 外部 URL

https://www.so.com/s?q=$

scripts/free-search.js:113

🔗

Medium External URL 外部 URL

https://m.so.com/s

scripts/free_search.py:151

🔗

Medium External URL 外部 URL

https://www.so.com/s?q=

scripts/free_search.py:166

File Tree

17 files · 91.5 KB · 2942 lines

Python 6f · 1161L JSON 3f · 669L Markdown 4f · 660L JavaScript 3f · 449L Config 1f · 3L

├─ ▾ 📁 config

│ └─ 📋 search-config.json JSON 37L · 837 B

├─ ▾ 📁 scripts

│ ├─ 🐍 baidu_search.py Python 232L · 7.7 KB

│ ├─ 🐍 custom_search.py Python 285L · 9.5 KB

│ ├─ 📜 extract.js JavaScript 166L · 5.5 KB

│ ├─ 🐍 extract.py Python 182L · 5.7 KB

│ ├─ 🐍 fallback_search.py Python 161L · 5.2 KB

│ ├─ 🐍 free_search.py Python 204L · 6.7 KB

│ ├─ 📜 free-search.js JavaScript 187L · 6.3 KB

│ ├─ 📜 multi-search.js JavaScript 96L · 3.3 KB

│ └─ 🐍 multi-search.py Python 97L · 3.4 KB

├─ ▾ 📁 venv

│ └─ 📄 pyvenv.cfg Config 3L · 69 B

├─ 📝 BAIDU-API-GUIDE.md Markdown 111L · 2.1 KB

├─ 📋 package-lock.json JSON 600L · 21.1 KB

├─ 📋 package.json JSON 32L · 798 B

├─ 📝 README_EN.md Markdown 99L · 1.9 KB

├─ 📝 README.md Markdown 309L · 7.5 KB

└─ 📝 SKILL.md Markdown 141L · 3.6 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.7`	npm	No	Version spec allows minor updates - stable
`cheerio`	`^1.0.0-rc.12`	npm	No	Well-maintained HTML parser
`requests`	`implicit`	pip	No	Standard Python HTTP library, no version pinning in requirements

Security Positives

✓ No credential theft or API key exfiltration - keys only used locally for search API calls

✓ No shell execution, reverse shells, or RCE vectors detected

✓ SSRF protection implemented with private IP range checks and DNS resolution validation

✓ No base64 encoding, eval(), or obfuscation found

✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)

✓ No data exfiltration or C2 communication patterns

✓ Well-documented security considerations in SKILL.md

✓ HTTP requests limited to legitimate search engine domains (Bing, Sogou, 360, DuckDuckGo, Tavily)

Scan Report

Findings 3 items

File Tree

Dependencies 3 items

Security Positives