Bailian Usage Proxy
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated proxy/usage-tracking purpose, but its admin API can create and expose access keys without authentication, which could let anyone who reaches the service use the shared Bailian account.
Install only if you are prepared to operate it like a real internal service: add authentication to every admin endpoint before exposing it, bind admin access to a private network, set strong database and application secrets, protect the Bailian master API key, and prefer pinned dependency installation.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the service could call administrative endpoints, create accounts, view usage data, and enable further use of the proxy.
These management routes create users, list users, and return usage reports, but their signatures do not include verify_api_key or another administrator authorization dependency.
@app.post("/admin/users", response_model=UserResponse)
async def create_user(user_create: UserCreate): ...
@app.get("/admin/users", response_model=List[UserResponse])
async def list_users(department: Optional[str] = None): ...
@app.get("/admin/usage/report")
async def get_usage_report(Require strong admin authentication and authorization for all /admin routes, separate the admin interface from the public proxy, and expose it only on a trusted network or behind an authenticated reverse proxy.
An unauthorized person could generate their own proxy key and spend the organization’s shared Bailian quota or costs.
The unauthenticated admin endpoint mints and returns a usable internal API key, which grants access to the shared Bailian-backed proxy.
@app.post("/admin/users", response_model=UserResponse)
async def create_user(user_create: UserCreate):
api_key = f"bl-{uuid.uuid4().hex}"
...
await db.create_user(user)
return userGate key creation behind administrator login, restrict maximum limits, audit key issuance, support revocation, and avoid returning full keys except at creation time.
If deployed with these defaults, attackers on the reachable network could attempt to access or modify stored users, internal API keys, and usage records.
The optional MySQL profile exposes a database port and provides predictable fallback passwords if the operator does not override them.
MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-rootpassword}
MYSQL_PASSWORD=${MYSQL_PASSWORD:-bailianpassword}
ports:
- "3306:3306"Remove default database passwords, require explicit secrets, avoid publishing MySQL publicly, and store secrets outside the compose file.
Future dependency changes or package compromise could affect the running proxy.
The one-click setup installs packages from PyPI without version pins or hashes, even though a pinned requirements.txt is present.
pip install -q fastapi uvicorn httpx sqlalchemy aiosqlite pydantic python-dotenv jinja2 python-multipart
Install from a pinned lockfile or requirements.txt with reviewed versions, preferably in an isolated virtual environment.
Prompts and request data sent through the proxy leave the local service and are processed by Alibaba Bailian under the shared account.
The proxy forwards full client request bodies to the Bailian provider using the shared master API key; this is disclosed and central to the skill’s purpose.
self.client = httpx.AsyncClient(
base_url=self.settings.bailian_base_url,
headers={"Authorization": f"Bearer {self.settings.bailian_api_key}"},
timeout=60.0
)
...
response = await self.client.post("/chat/completions", json=request_data)Document this data flow clearly, use the provider only for approved data, and protect the master API key and proxy logs.
The proxy may continue accepting requests after the terminal is closed, increasing the impact of any exposed admin or API endpoint.
The skill includes a user-directed daemon mode that keeps the proxy running in the background until stopped.
nohup python3 -m app.main >> "$LOG_FILE" 2>&1 & PID=$! echo $PID > "$PID_FILE"
Run the daemon only intentionally, monitor the PID/log files, restrict network access, and stop it when no longer needed.