百度搜索中文版
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent Baidu search proxy, but users should notice that it uses their Baidu API key, sends queries to Baidu, and should be run only on localhost.
Install this only if you want an agent to search through Baidu using your own API key. Keep the key private, avoid sensitive search queries, prefer running the service on 127.0.0.1, and consider pinning dependencies for more reproducible installs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches performed through this skill may be associated with the user's Baidu account and consume API quota.
The service authenticates to Baidu with a user-provided API key. This is expected for the stated search purpose, but it delegates the user's Baidu account quota or billing authority to the local service.
api_key = os.getenv("BAIDU_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated or limited-scope Baidu API key if available, keep the .env file private, and monitor API usage.
Anything entered as a search query may leave the local environment and be processed by Baidu.
The code sends the user's search query and filters to Baidu's external API. This is disclosed and purpose-aligned for web search, but it is still an external data flow.
BAIDU_API_URL = "https://qianfan.baidubce.com/v2/ai_search/web_search" ... "content": request.query ... client.post(..., json=body)
Avoid putting secrets, private documents, or sensitive personal data into search queries unless you are comfortable sending them to Baidu.
If exposed on a network, other clients could potentially send searches through the service and use the configured Baidu API key.
The alternate direct-run entrypoint would bind the search service to all network interfaces. The documented setup uses localhost, but this code path could expose the unauthenticated search proxy if used directly.
uvicorn.run("baidu_search.main:app", host="0.0.0.0", port=8001)Run the documented localhost command or change the direct-run host to 127.0.0.1 unless network exposure is intentional and protected.
A future install could receive newer dependency versions than the ones originally tested.
The Python dependencies are specified as version ranges rather than exact pinned versions or a lockfile. This is a common setup choice, but it means future dependency resolution can change installed code.
"fastapi>=0.110.0", "httpx>=0.27.0", "uvicorn[standard]>=0.29.0"
For production or sensitive use, install from a reviewed lockfile or pin dependency versions.