ClawHub

Baidu Search V2

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward Baidu web-search wrapper, with expected use of a Baidu API key and minor package identity metadata inconsistencies to verify.

This skill appears purpose-aligned and non-destructive. Before installing, confirm you trust the package source despite the metadata mismatch, use a limited Baidu API key, and avoid putting sensitive information into search queries unless you are comfortable sharing it with Baidu's service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Searches may use the user's Baidu API quota, billing, or account permissions.

Why it was flagged

The script reads the declared Baidu API key from the environment and uses it as a bearer token for the Baidu API. This is expected for the stated purpose, but it is still credential-based delegated access.

Skill content
api_key = os.getenv("BAIDU_API_KEY") ... "Authorization": "Bearer %s" % api_key
Recommendation

Use a Baidu API key with the minimum permissions needed for search and rotate or revoke it if the skill is no longer used.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Search terms are shared with Baidu's service and may be subject to that service's logging, retention, or usage policies.

Why it was flagged

The user-provided search query is sent to Baidu's external AI search endpoint. This is the core function of the skill and is clearly purpose-aligned.

Skill content
url = "https://qianfan.baidubce.com/v2/ai_search/web_search" ... "content": parse_data["query"] ... requests.post(url, json=requestBody, headers=headers)
Recommendation

Avoid sending confidential or regulated information as search queries unless that use is acceptable under the Baidu API terms and the user's privacy requirements.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The user may have less certainty that the reviewed artifact identity matches the registry entry they intended to install.

Why it was flagged

The embedded metadata differs from the supplied registry identity for Baidu Search V2, which lists a different owner, slug, and version. This is a provenance/packaging ambiguity, not evidence of unsafe runtime behavior.

Skill content
"ownerId": "kn7akgt520t01vgs2tzx7yk6m180kt26", "slug": "baidu-search", "version": "1.1.2"
Recommendation

Verify the publisher and package identity before installation, and prefer artifacts whose registry metadata and embedded metadata are consistent.