Bimiyun Search
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent Bimiyun web-search wrapper, but it sends user search queries to an external API using a required API key and returns untrusted web content to the agent.
Install only if you are comfortable sending search queries to Bimiyun’s API. Configure the API key securely, avoid searching highly sensitive private data, keep any .env file out of version control, and treat returned web content as untrusted information rather than instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search results could contain misleading or prompt-injection-style text from the web if the agent treats snippets as authoritative instructions.
The skill places external web result text into the output that an agent may read and reuse.
"content": r.get("text") or r.get("snippet")Treat search results as untrusted reference material, verify important claims, and do not follow instructions embedded in returned webpages unless the user explicitly asks.
Anyone with access to the configured API key may be able to use the user's Bimiyun account quota or permissions.
The script uses the Bimiyun API key as an authentication header for the search request, which is expected for this integration.
"X-Api-Key": self.api_key
Use a dedicated Bimiyun key with appropriate limits, keep it out of shared logs and repositories, and rotate it if it may have been exposed.
Search queries, language settings, and the API key are sent to the configured search endpoint; a misconfigured endpoint could change where that data goes.
The skill sends search payloads to an external provider endpoint, and the endpoint can be overridden through environment or .env configuration.
endpoint = os.environ.get("BIMIYUN_ENDPOINT") ... return "https://search.bimiyun.com/api/web"Avoid putting highly sensitive private data in search queries and only set BIMIYUN_ENDPOINT to a trusted Bimiyun-compatible endpoint.