AI Notes of Video

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it claims—send a user-provided video URL to Baidu to generate notes—but users should notice that it uses a Baidu API key and an external Baidu service.

This looks safe for its stated purpose if you intend to use Baidu's video-note service. Before installing, set BAIDU_API_KEY only in an environment you trust, use a limited key if available, monitor quota or billing, and submit only video URLs you are comfortable sharing with Baidu.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Using the skill may consume Baidu API quota or operate under the permissions of the configured Baidu API key.

Why it was flagged

The script reads a local Baidu API key and sends it as a bearer token to Baidu. This is expected for the service integration, but it is still credential-backed account access.

Skill content

api_key = os.getenv("BAIDU_API_KEY") ... "Authorization": "Bearer %s" % api_key

Recommendation

Use a scoped Baidu API key if possible, avoid sharing the key, and monitor API usage or billing.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Private or pre-signed video links submitted to the skill may become accessible to Baidu's service for note generation.

Why it was flagged

The user-provided video URL is transmitted to Baidu's external API for processing, which matches the stated purpose but creates a third-party data flow.

Skill content

url = "https://qianfan.baidubce.com/v2/tools/ai_note/task_create" ... params = { "url": video_url } ... requests.post(url, headers=headers, json=params)

Recommendation

Only submit video URLs that you are comfortable sending to Baidu, and avoid sensitive or non-shareable links unless that is intended.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Install-time or registry views may not clearly show that the skill needs a Baidu API key and Python-based helper scripts.

Why it was flagged

The registry metadata omits requirements that are present in SKILL.md and the scripts, namely Python execution and BAIDU_API_KEY. This is a transparency/setup issue rather than evidence of malicious behavior.

Skill content

Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none

Recommendation

Review SKILL.md before use and ensure the registry metadata is corrected to declare Python and BAIDU_API_KEY.