ClawHub
Back to skill
v1.0.0

baidu-maps-poi-ai-search

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

The skill appears to perform the advertised Baidu Maps POI search, but it can log a Baidu API key if the key is supplied in the JSON request.

GuidanceBefore installing, plan to provide the Baidu key only through BAIDU_AK, avoid putting keys or session IDs in the JSON argument, and check whether stderr logs are captured by your agent environment. Also verify that the requests Python package is installed from a trusted source.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/search.py
import requests

The skill has no install spec and declares only python3 as a required binary, but the code depends on the external requests package.

User impactThe skill may fail unless requests is already installed, or a user may need to install that dependency separately.
RecommendationDeclare the Python dependency explicitly in an install spec or requirements file, preferably with a pinned version or trusted installation instructions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/search.py
print(f"success parse request body: {params}", file=sys.stderr) ... ak = params.get("ak") or os.getenv("BAIDU_AK")

The script accepts a Baidu API key in the JSON request and logs the entire parsed request before redaction. If a user supplies 'ak' in JSON, the API key can appear in stderr logs.

User impactA Baidu Maps API key could be exposed in terminal logs or captured agent output, which may allow quota or billing abuse until the key is revoked or rotated.
RecommendationUse the BAIDU_AK environment variable rather than passing 'ak' in JSON, and update the script to remove or redact debug logging of sensitive fields such as ak, baidu_session_id, and baidu_user_id.