Qianfan KnowledgeBase Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Baidu Qianfan knowledge-base search skill that sends user-directed searches to the expected Baidu API using configured credentials.

Install only if you intend to send your search queries and selected knowledgebase IDs to Baidu Qianfan using your BAIDU_API_KEY. Avoid placing unnecessary secrets in search queries, and use an appropriately scoped API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documentation says the skill searches the user's private knowledge bases but does not clearly warn that queries and knowledge-base identifiers are transmitted to Baidu Qianfan over the network. In this context, that omission matters because user prompts may contain sensitive internal information, and the skill is explicitly designed to access private enterprise content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal