qianfan-deepresearch
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: deepresearch-conversation Version: 1.1.4 The skill bundle is a legitimate tool designed to automate the generation of research reports via the Baidu Qianfan DeepResearch API. The core logic in `scripts/deepresearch.py` handles session management, SSE stream parsing, and automated workflow steps (skipping clarifications and confirming outlines) without any signs of malicious behavior or obfuscation. The instructions in `SKILL.md` provide strict but functional guidelines for the AI agent to ensure consistent output formatting and proper query construction. All network requests are directed to the official Baidu API endpoint (qianfan.baidubce.com).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must provide or expose a Qianfan API key, which may allow use of the user’s Qianfan account and paid API quota.
The skill requires a Qianfan API key and may ask the user for it. This is expected for the stated provider API, but it is sensitive account authority and is not declared as a primary credential in metadata.
`api_key` | ✅ | ① 对话上下文 → ② 环境变量 `QIANFAN_API_KEY` → ③ 都没有,弹出澄清向用户索取
Use a scoped/rotatable API key, prefer environment variables or a secret store over pasting keys into chat or command lines, and revoke the key if it is accidentally exposed.
The report can be generated, and potentially billed by the provider, without the user reviewing the provider’s clarification questions or outline first.
The workflow intentionally automates provider-side steps, including skipping clarification and confirming the outline. This is disclosed and central to the one-click report purpose, but it reduces user review before report generation.
整个流程为 **单阶段自动执行**:Agent 只需运行一条命令,脚本自动完成跳过澄清、确认大纲
Use this skill when you want the automatic workflow; for sensitive or expensive research tasks, manually review the query and selected depth/version before running it.
The skill may fail until requests is installed, and manual package installation depends on the user’s local Python package source and environment.
The script depends on the Python requests package, but the install specification is absent. This is not hidden execution, but users may need to install an unpinned dependency themselves.
except ImportError:
print("缺少依赖: pip install requests", file=sys.stderr)Install dependencies from trusted package indexes and consider pinning requests in a local environment if reproducibility matters.
Research topics and generated workflow data are transmitted to Baidu Qianfan, so confidential topics may leave the local conversation environment.
The skill sends the research query and bearer-authenticated requests to Baidu Qianfan’s DeepResearch API. The destination is disclosed and purpose-aligned, but it is still an external provider data flow.
接口地址: `POST /v2/agent/deepresearch/run` ... `Authorization: Bearer {api_key}`Do not submit confidential, regulated, or proprietary research topics unless your Qianfan account and data-processing terms permit that use.