Back to skill

Security audit

Baidu Search V2

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Baidu search skill that sends search queries to Baidu using a user-provided API key.

Install only if you are comfortable sending search queries to Baidu and using your Baidu API quota. Avoid secrets, personal data, or confidential internal terms in queries unless your policy allows it, and verify the package identity because the embedded metadata does not exactly match the registry metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description says the skill searches the web but does not warn that user queries are sent to Baidu's external service or that an API key is required. This can lead to unintended disclosure of sensitive prompts, research topics, or internal data to a third party, especially if agents pass user content into the search tool automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.