test
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a straightforward Baidu web search skill, but it needs a Baidu API key and sends search queries to Baidu, with a minor package metadata mismatch to notice.
Install this only if you intend to use Baidu AI Search. Configure a limited-purpose Baidu API key if possible, avoid sensitive search queries, monitor quota or billing, and verify the publisher/source because the bundled metadata does not exactly match the registry entry.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your Baidu API access and may consume quota or incur account usage costs.
The skill reads a Baidu API key from the environment and uses it as a bearer token for the Baidu search API, which is expected for this integration but gives the skill delegated access to that service.
api_key = os.getenv("BAIDU_API_KEY") ... "Authorization": "Bearer %s" % api_keyUse a Baidu key intended for this skill, monitor usage, and rotate or revoke the key if you uninstall or stop using the skill.
Anything included in a search query may be processed by Baidu's service.
The script sends the user's search query to Baidu's external AI Search endpoint. This is disclosed and purpose-aligned, but it means query text leaves the local environment.
url = "https://qianfan.baidubce.com/v2/ai_search/web_search" ... "content": parse_data["query"]
Avoid putting secrets, private documents, or sensitive personal data into search queries unless you are comfortable sending them to Baidu.
The skill appears purpose-aligned, but the package identity is less clear than ideal.
The bundled metadata identifies a different slug/version than the supplied registry metadata for the evaluated skill (`test` / `ken-test` / `1.0.0`), creating a provenance/packaging ambiguity even though the visible code matches the stated search purpose.
"ownerId": "kn7akgt520t01vgs2tzx7yk6m180kt26", "slug": "baidu-search", "version": "1.1.2"
Verify that this package and publisher are the intended source before configuring your API key.