baidu-youjia-car

PassAudited by ClawScan on May 11, 2026.

Overview

This appears to be a coherent car-information lookup skill, with the main caveats that it sends queries to Baidu Youjia, uses a bundled API token, and has limited publisher provenance.

Before installing, be comfortable with car search terms and city names being sent to Baidu Youjia. Avoid including sensitive personal information in queries, and only provide a YOUJIA_TOKEN if you intend this skill to use it. Because the source and homepage are not declared, prefer installing only if you trust the publisher.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less ability to independently verify who maintains the skill or whether it is an official Baidu/Youjia integration.

Why it was flagged

The skill has no declared source repository or homepage, so users cannot easily verify publisher identity, update history, or upstream provenance from the provided metadata.

Skill content

Source: unknown; Homepage: none

Recommendation

Install only if you trust the registry publisher, and prefer inspecting the full package or using an official provider source when available.

Low

#ASI03: Identity and Privilege Abuse

What this means

API traffic may rely on a shared embedded token; if a user sets YOUJIA_TOKEN, that token will be sent to the Youjia API endpoints.

Why it was flagged

The API client uses a bundled default token and will also use a YOUJIA_TOKEN environment variable if present. This is purpose-aligned for the Youjia API, but it is still credential-like behavior users should notice.

Skill content

DEFAULT_TOKEN = "2_10af..."; self.token = token or os.environ.get("YOUJIA_TOKEN", self.DEFAULT_TOKEN)

Recommendation

Treat YOUJIA_TOKEN as a credential if you use it. Do not set a personal token unless you intend this skill to use it, and be aware the embedded token may be revoked or rate-limited.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Car search terms and city-level location preferences may be visible to the external provider.

Why it was flagged

The skill sends the user's car query and optional city to external Youjia endpoints. This is disclosed and central to the skill's purpose, but it is still an external data flow.

Skill content

NER_API_URL = "https://m.yoojia.com/api/search/sug" ... "query": query ... if city: params["city"] = city

Recommendation

Avoid entering unnecessary personal details, exact addresses, phone numbers, or other sensitive information in car queries.