Baidu Finance Search
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Baidu finance-search purpose, but it disables HTTPS certificate verification while sending your Baidu API key and search queries.
Review before installing. Only use a restricted Baidu API key, avoid private or sensitive query text, confirm the publisher/version mismatch, and ask the maintainer to restore normal HTTPS certificate verification before using it on untrusted networks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Baidu API key, search queries, and returned results could be exposed or manipulated on an untrusted network.
The skill sends a bearer API key and search request data to Baidu over HTTPS while disabling certificate and hostname verification, which can allow interception or tampering by a network attacker.
"Authorization": f"Bearer {api_key}" ... ctx.check_hostname = False ... ctx.verify_mode = ssl.CERT_NONE ... urllib.request.urlopen(req, timeout=60, context=ctx)Do not disable SSL verification; remove the custom insecure SSL context and rely on normal certificate validation before using real credentials.
Installing users may not realize from registry metadata that the skill needs a Baidu API credential and can consume that account's quota or access.
The code requires a Baidu API key, while the supplied registry metadata declares no required environment variables or primary credential. The credential use is purpose-aligned and also documented in SKILL.md, but under-declared in metadata.
api_key = os.environ.get("BAIDU_API_KEY") ... if not api_key: ... raise ValueError("未配置 BAIDU_API_KEY")Declare BAIDU_API_KEY as a required credential/env var in metadata and use a restricted, service-specific key.
The mismatch may make it harder to confirm exactly which publisher and version you are installing.
The packaged metadata lists a different owner/version than the supplied registry metadata, which lists owner kn7ebb56grst3cqbsxbpc1ts7982hdsy and version 1.0.2.
"ownerId": "kn7akgt520t01vgs2tzx7yk6m180kt26", "slug": "baidu-finance-search", "version": "1.0.1"
Verify the publisher and package version, and align _meta.json/SKILL.md with the registry record before relying on the package.