ClawHub

baidu baike search

v1.0.1

The Baidu Baike Component is a knowledge service tool designed to query authoritative encyclopedia explanations for various nouns. Its core function is given a specific "noun" (object, person, location, concept, event, etc.) provided by the user, it returns a standardized, detailed entry explanation sourced from Baidu Baike.

1· 2.6k·16 current·16 all-time
bybaidu_qianfan@baiduqianfangroup
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, and implementation all match the stated purpose (query Baidu Baike). Requiring curl and calling Baidu endpoints is coherent. However, the skill's registry metadata lists no required environment variables while both SKILL.md and the shipped shell script clearly require BAIDU_API_KEY; that metadata omission is inconsistent and should be corrected.
Instruction Scope
SKILL.md and the shell script limit actions to building curl GET requests to Baidu's appbuilder API and return the responses — scope is narrow and consistent with the stated purpose. Minor inconsistencies exist in examples: SKILL.md example uses the literal token text 'BAIDU_API_KEY' in the Authorization header (instead of showing it as a shell variable), which could confuse integrators but is not itself malicious.
Install Mechanism
There is no install spec (instruction-only pattern) and the only code is a small shell script. Nothing is downloaded from external URLs or installed automatically, so install-level risk is low.
!
Credentials
The script and SKILL.md require a BAIDU_API_KEY to call the Baidu API — a single API key is proportionate to the task. However, the registry metadata incorrectly lists no required env vars and does not declare BAIDU_API_KEY as the primary credential; this mismatch is a red flag (it may be an oversight, but it could also indicate sloppy or incomplete publishing practices).
Persistence & Privilege
The skill does not request always:true, does not ask to modify other skills or system configs, and is user-invocable only. It does not request elevated or persistent privileges.
Scan Findings in Context
[pre-scan: none] expected: No regex-based scan findings were detected. Absence of findings is expected for a small shell script and instruction-only skill; lack of findings does not guarantee safety.
What to consider before installing
This skill will send whatever BAIDU_API_KEY you provide to https://appbuilder.baidu.com when performing lookups — the behavior matches its stated purpose. However, the registry metadata does not declare the BAIDU_API_KEY requirement even though both SKILL.md and the script require it; that mismatch is suspicious. Before installing: (1) verify the skill's publisher or source because the 'Source' is unknown, (2) confirm you are comfortable providing a Baidu API key to this component and that the key has the minimal necessary scope, (3) prefer creating a dedicated/limited API key you can revoke if needed, and (4) correct or request corrected metadata (declare BAIDU_API_KEY) and review the script yourself — the code is short and readable. If you cannot verify the author or do not want to expose an API key, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk974nvrjpg6mmbyta66h4kd2n180g9m5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📖 Clawdis
Binscurl

Comments