Baidu Wenku AI picture book of video
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives it access to make Baidu API requests under the provided key.
The script uses the provided Baidu API key as a bearer credential to create picture-book tasks. This is expected for the Baidu integration and there is no evidence of hardcoded keys or credential logging.
"Authorization": f"Bearer {api_key}"Use a dedicated or least-privileged Baidu API key if possible, and avoid passing the key on the command line when an environment variable can be used.
Any story text, descriptions, or task IDs used with the skill may be sent to Baidu/Qianfan or, in the configured sandbox path, through the scheduler proxy.
User-provided story or description text is packaged into the API request for the Baidu picture-book generation endpoint. This is necessary for the service, but it means submitted content leaves the local environment.
"input_content": content
Do not submit confidential, regulated, or private content unless you are comfortable sharing it with the external provider and any configured platform proxy.
The package identity is slightly harder to verify against an upstream source.
The included _meta.json version differs from the supplied registry version 1.1.2, and the skill listing has no source or homepage. This is a minor provenance/packaging inconsistency, not evidence of malicious behavior.
"version": "1.1.1"
Confirm the publisher and version in the registry before installing, especially if you rely on provenance controls.