Bimiyun Search
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search results could contain misleading or prompt-injection-style text from the web if the agent treats snippets as authoritative instructions.
The skill places external web result text into the output that an agent may read and reuse.
"content": r.get("text") or r.get("snippet")Treat search results as untrusted reference material, verify important claims, and do not follow instructions embedded in returned webpages unless the user explicitly asks.
Anyone with access to the configured API key may be able to use the user's Bimiyun account quota or permissions.
The script uses the Bimiyun API key as an authentication header for the search request, which is expected for this integration.
"X-Api-Key": self.api_key
Use a dedicated Bimiyun key with appropriate limits, keep it out of shared logs and repositories, and rotate it if it may have been exposed.
Search queries, language settings, and the API key are sent to the configured search endpoint; a misconfigured endpoint could change where that data goes.
The skill sends search payloads to an external provider endpoint, and the endpoint can be overridden through environment or .env configuration.
endpoint = os.environ.get("BIMIYUN_ENDPOINT") ... return "https://search.bimiyun.com/api/web"Avoid putting highly sensitive private data in search queries and only set BIMIYUN_ENDPOINT to a trusted Bimiyun-compatible endpoint.