Baidu Ecommerce Search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: baidu-ecommerce-search Version: 1.0.11 The skill bundle is a functional API client for Baidu's ecommerce services, providing tools for product search, knowledge retrieval, and order management. The scripts (e.g., common.py, order.py, spu.py) use Python's standard library to interact with a legitimate-appearing endpoint (mcp-youxuan.baidu.com) and implement a robust cross-process rate-limiting mechanism using file locks in lock.py. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the token for account-bound ecommerce actions such as address, order, and purchase workflows.
The skill requires a user-provided Baidu ecommerce token and states that created orders use the token owner's account, so it has delegated account authority.
export BAIDU_EC_SEARCH_TOKEN="your-token" ... 创建订单使用的账号为用户申请 token 的账号
Use a least-privilege token, verify the publisher, and revoke or rotate the token when it is no longer needed.
If the user confirms the wrong summary, the skill could create an unwanted order, though payment is described as requiring completion via a returned link.
The workflow includes a side-effecting order creation step, but it is disclosed and placed after an explicit user confirmation step.
4. **订单确认**:汇总展示商品名称 + 规格 + 收货地址 + 金额 → 用户确认 5. **创建订单**:调用 order create,返回订单详情链接
Confirm every product, SKU, shipping address, and price before allowing order creation.
Shipping details, order IDs, and shopping queries may be transmitted to Baidu's ecommerce service as part of normal operation.
All tool parameters are sent to a Baidu ecommerce API endpoint; for address and order tools, this can include shipping or order-related personal data.
BASE_URL = "https://mcp-youxuan.baidu.com/skill" ... url = f"{BASE_URL}/{endpoint}?" + urllib.parse.urlencode(params)Only provide address or order data needed for the task, and use the skill only if you trust the Baidu service and this publisher.
Users have less provenance information to confirm that this package is the intended Baidu ecommerce integration.
The registry metadata does not identify a source repository or verified provenance, which matters because the skill requests a token with ecommerce account authority.
Source: unknown
Verify the homepage, publisher, and token permission request before installing or supplying credentials.