coze-web-search Security Report — Low Risk | ClawSafe

20 /100

coze-web-search

Search the web using coze-coding-dev-sdk. Supports web search, image search, AI summaries, time filters, and site restrictions.

Legitimate Coze web search wrapper; code is clean with no hidden behavior, but relies on unpinned dynamic SDK download via npx.

Skill Namecoze-web-search

Duration33.2s

Enginepi

✓

Safe to install

Pin coze-coding-dev-sdk to a specific version in a package.json to prevent supply-chain substitution. Otherwise safe to use.

Findings 2 items

Severity	Finding	Location
Low	Dynamic dependency with no version pin Supply Chain The coze-coding-dev-sdk package is fetched dynamically via npx without a package.json pinning a specific version. This allows the package to change silently over time, potentially introducing malicious updates from the registry. `import { SearchClient, Config, APIError } from "coze-coding-dev-sdk";` → Add a package.json with coze-coding-dev-sdk pinned to a known-good version (e.g., [email protected]).	`scripts/search.ts:1`
Low	No local dependency manifest Supply Chain No requirements.txt, package.json, or Cargo.toml exists in the repository. This means the exact SDK version cannot be audited or reproduced. `npx ts-node {baseDir}/scripts/search.ts -q "Python programming"` → Include a package.json or equivalent pinning coze-coding-dev-sdk with a specific version.	`SKILL.md:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	SKILL.md declares no file operations; script only reads process.argv
Network	`NONE`	`READ`	✓ Aligned	All network traffic goes through coze-coding-dev-sdk to coze.com API, which is t…
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md line 17: npx ts-node is the declared execution method
Environment	`NONE`	`NONE`	—	No access to process.env; Config() uses default SDK behavior

2 findings

🔗

Medium External URL 外部 URL

https://www.coze.com

SKILL.md:4

🔗

Medium External URL 外部 URL

https://www.python.org

SKILL.md:91

2 files · 10.2 KB · 360 lines

TypeScript 1f · 252L Markdown 1f · 108L

├─ ▾ 📁 scripts

│ └─ 📜 search.ts TypeScript 252L · 7.5 KB

└─ 📝 SKILL.md Markdown 108L · 2.8 KB

Package	Version	Source	Known Vulns	Notes
`coze-coding-dev-sdk`	`*`	npm (dynamic)	No	No version pin; fetched dynamically via npx at runtime
`ts-node`	`*`	npx	No	Transpiler runtime; not locally pinned

✓ No credential theft: no access to ~/.ssh, ~/.aws, .env, or process.env for secrets

✓ No obfuscation: no base64, eval, or anti-analysis techniques

✓ No data exfiltration: all network traffic is limited to the documented coze.com search API

✓ No hidden functionality: script behavior matches SKILL.md declarations

✓ No sensitive file access: no reads of SSH keys, credentials, or config files

✓ Clean code: straightforward argument parsing, SDK calls, and output formatting