ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test

v1.0.0

Search the web using Baidu AI Search Engine (BDSE). Use for live information, documentation, or research topics.

0· 58·0 current·0 all-time
byDang Trung Kien@dtkien182
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (Baidu web search) matches the code: the Python script calls the Baidu qianfan web_search endpoint using BAIDU_API_KEY. However the package metadata is inconsistent: top-level name/slug/owner (registry metadata shows 'test' / 'ken-test' / owner kn7akw...) differs from embedded _meta.json entries (slug 'baidu-search', different ownerId), and files are duplicated under baidu-search-1.1.2 as well as top-level. These packaging/name/owner mismatches are unexpected and should be validated.
Instruction Scope
Runtime instructions and the script stay within the described purpose: they parse a JSON query, build a request body, and call Baidu's API. The instructions only reference BAIDU_API_KEY and a suggested OpenClaw config path (~/.openclaw/openclaw.json) for storing the key. There is no code that reads unrelated system files or exfiltrates data to unexpected endpoints.
Install Mechanism
No install spec (instruction-only) so nothing arbitrary gets downloaded at install time. However the Python script imports the third-party 'requests' library but the skill does not declare this dependency or provide an install step; that is an omission which may cause runtime failures. File duplication (same script repeated in two paths) is also unusual and worth confirmation.
Credentials
The only required environment variable is BAIDU_API_KEY (declared as primaryEnv) which is proportionate to a Baidu search integration. The script reads only BAIDU_API_KEY from the environment and nothing else.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. The README suggests editing the OpenClaw config to add the API key, which is typical for credential setup and within scope.
What to consider before installing
This skill's code looks straightforward and implements Baidu web search, but there are a few red flags to check before installing: - Verify the author/source: package metadata and owner IDs differ from the embedded _meta.json and the registry slug; confirm you trust the publisher before giving it your BAIDU_API_KEY. - Confirm dependencies: the script requires the Python 'requests' library but the skill doesn't declare or install it. Install it in a controlled environment (e.g., pip install requests) or run in an isolated container. - Review duplicates: the same files appear in multiple places in the package; confirm this isn't accidental tampering. - Protect your API key: the skill expects BAIDU_API_KEY and suggests adding it to ~/.openclaw/openclaw.json. Consider whether you want the key in that file (it persists on disk) or prefer setting it in a session-scoped environment instead. - Run in isolation first: execute the script manually with a throwaway API key or in a sandbox to confirm behavior (it only contacts qianfan.baidubce.com and prints returned references). If you cannot verify the publisher or the packaging anomalies, avoid installing or provide the skill with a limited/testing API key until you are comfortable.

Like a lobster shell, security has layers — review code before you run it.

latestvk979e2qppsjqzhbcxkqn9bnedd83njm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍︎ Clawdis
Binspython3
EnvBAIDU_API_KEY
Primary envBAIDU_API_KEY

Comments