Baidu Ecommerce Search
PassAudited by ClawScan on May 8, 2026.
Overview
The skill is coherent for Baidu shopping, but it uses a Baidu ecommerce token to access account shopping data and create orders or addresses, so users should confirm purchases carefully.
Install only if you trust this Baidu ecommerce integration. Use the minimum token permissions needed, review every order summary before confirming, avoid sharing unnecessary address/order data, and revoke the token when you no longer need the skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the token for account-bound ecommerce actions such as address, order, and purchase workflows.
The skill requires a user-provided Baidu ecommerce token and states that created orders use the token owner's account, so it has delegated account authority.
export BAIDU_EC_SEARCH_TOKEN="your-token" ... 创建订单使用的账号为用户申请 token 的账号
Use a least-privilege token, verify the publisher, and revoke or rotate the token when it is no longer needed.
If the user confirms the wrong summary, the skill could create an unwanted order, though payment is described as requiring completion via a returned link.
The workflow includes a side-effecting order creation step, but it is disclosed and placed after an explicit user confirmation step.
4. **订单确认**:汇总展示商品名称 + 规格 + 收货地址 + 金额 → 用户确认 5. **创建订单**:调用 order create,返回订单详情链接
Confirm every product, SKU, shipping address, and price before allowing order creation.
Shipping details, order IDs, and shopping queries may be transmitted to Baidu's ecommerce service as part of normal operation.
All tool parameters are sent to a Baidu ecommerce API endpoint; for address and order tools, this can include shipping or order-related personal data.
BASE_URL = "https://mcp-youxuan.baidu.com/skill" ... url = f"{BASE_URL}/{endpoint}?" + urllib.parse.urlencode(params)Only provide address or order data needed for the task, and use the skill only if you trust the Baidu service and this publisher.
Users have less provenance information to confirm that this package is the intended Baidu ecommerce integration.
The registry metadata does not identify a source repository or verified provenance, which matters because the skill requests a token with ecommerce account authority.
Source: unknown
Verify the homepage, publisher, and token permission request before installing or supplying credentials.