Baidu web search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: baidu-search Version: 1.1.4 The skill bundle provides a legitimate implementation for searching the web via the Baidu AI Search API. The Python script (scripts/search.py) correctly handles API authentication via environment variables, performs basic input validation on search parameters, and uses the standard requests library for communication. While it contains logic to proxy requests if specific sandbox environment variables (DUMATE_SESSION_ID) are present, this appears to be a functional requirement for specific deployment environments rather than a malicious exfiltration attempt.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches may use the user's Baidu Cloud account, quota, billing, or access permissions.
The skill requires a Baidu API key and instructs users to store it in OpenClaw configuration, which is expected for Baidu API access but gives the skill account-backed search authority.
"BAIDU_API_KEY": "your_actual_api_key_here"
Use a dedicated, revocable Baidu API key with only the permissions needed for AI Search, and monitor Baidu Cloud usage.
In sandbox mode, search queries and a session identifier may be visible to the configured scheduler proxy.
When DUMATE sandbox environment variables are present, the skill routes the Baidu request through a scheduler proxy and includes a session ID header. This appears to be sandbox plumbing and does not send the Baidu API key, but it is a separate gateway path from the directly documented Baidu endpoint.
proxy_url = f"{scheduler_url}/api/qianfanproxy{parsed.path}" ... "X-Dumate-Session-Id": session_idOnly run this skill in trusted OpenClaw/sandbox environments, and avoid putting highly sensitive information in search queries unless you trust the configured proxy path.