v1.0.0

baidu_search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:11 AM.

Analysis

The skill matches its Baidu search and webpage parsing purpose, but it makes external web requests and relies on manually installed Python packages.

GuidanceThis skill appears coherent for Baidu search and webpage extraction. Before installing, be aware that your search terms and fetched URLs go to external services, avoid using it for confidential queries, install the Python dependencies from trusted sources, and prefer enabling TLS verification for webpage fetching.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/fetch_url.py

response = requests.get(url, headers=headers, timeout=timeout, verify=False)

The webpage fetcher makes outbound requests to supplied or search-result URLs and disables TLS certificate validation; this is aligned with webpage parsing, but weakens assurance that fetched HTTPS content is authentic.

User impactFetched page text could be tampered with on an untrusted network and then summarized or used by the agent as if it came from the intended site.

RecommendationPrefer normal TLS verification, only disable verification with explicit user approval, and treat fetched webpage text as untrusted.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

pip3 install --user baidusearch requests beautifulsoup4 lxml

The skill asks users to install external Python packages without pinned versions or a lockfile; these dependencies are expected for the purpose, but their exact provenance and versions are not fixed by the artifacts.

User impactA future or unexpected package version could change behavior or introduce vulnerabilities.

RecommendationInstall from trusted package sources, pin dependency versions where possible, and prefer a reviewed install specification or lockfile.

Unexpected Code Execution

SeverityLowConfidenceMediumStatusNote

scripts/search_and_fetch.py

sys.path.insert(0, '.')
from fetch_url import fetch_url

The combined script puts the current working directory first on Python's import path before importing fetch_url; if another fetch_url.py exists there, it could shadow the bundled helper.

User impactRunning the script from a directory containing a different fetch_url.py could execute unintended local code.

RecommendationImport the bundled helper by a fixed package or script-relative path instead of adding the current working directory to sys.path.