统一封装博查(Bocha)全系搜索接口(Web Search / AI Search / Agent Search / Reranker),使用 Node.js 脚本调用并支持标准参数与原始 JSON 透传。用户提到“博查搜索/联网搜索/AI 搜索/Agent 搜索/重排/rerank/事实核查/行业研报检索”时使用。
Security Analysis
high confidenceThe skill appears to implement a simple wrapper around Bocha search APIs and mostly behaves as described, but the package metadata does not declare the single required credential (BOCHA_API_KEY) and the runtime allows arbitrary JSON passthrough — these inconsistencies/risks should be considered before installing.
Name, description, and implementation align: the scripts call Bocha search endpoints (web/ai/agent/reranker) and expose parameters the SKILL.md documents. The code only targets api.bochaai.com endpoints, which matches the declared purpose.
SKILL.md tells the agent to run the included Node/Bash scripts and to provide an API key via BOCHA_API_KEY or a local config.json. The scripts only read that config or env var, build a JSON payload, and POST to the Bocha API. One scope note: the --raw-json option allows callers to pass arbitrary JSON that will be merged and sent to the external API — this is expected for advanced use but means the caller must avoid embedding secrets or unrelated data in queries.
There is no install spec; this is a script bundle intended to be run directly. No network downloads or package installs occur during setup, and the code itself is not obfuscated. Requires a Node runtime present on the host.
The skill requires a Bocha API key at runtime (BOCHA_API_KEY or skills/bocha-web-search/config.json), but the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: the skill will fail without providing a sensitive secret, and the metadata does not surface that requirement. Apart from that single API key, no other credentials or unrelated env vars are accessed.
The skill does not request permanent/always-enabled presence, does not modify other skills' settings, and does not write to system-wide config. The only file it suggests creating is a local skills/bocha-web-search/config.json to store the API key (local persistent file).
Guidance
This skill is a straightforward client for the Bocha search APIs and will send your queries (and any JSON you pass with --raw-json) to https://api.bochaai.com. Before installing: 1) Be aware you must provide BOCHA_API_KEY (either as BOCHA_API_KEY env var or a local skills/bocha-web-search/config.json) — the registry metadata failing to declare this is an inconsistency you should note. 2) Do not include secrets or unrelated private data in queries or in --raw-json, since those values are transmitted to an external service. 3) Verify you trust the Bocha service and restrict the API key’s permissions/rotation as appropriate; store config.json with tight filesystem permissions. 4) Ensure Node is available in the environment. If you need stronger assurances, ask the publisher for a homepage/contact, or run the scripts in a sandbox and monitor outbound requests to confirm they go only to api.bochaai.com.
Latest Release
v1.0.2
Rename display name to 'Bocha Web Search' (remove parenthetical suffix).
More by @YIKAILucas
Published by @YIKAILucas on ClawHub
