ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baidu Scholar Search Skill 1.1.0

v1.0.0

Baidu Scholar Search - Search Chinese and English academic literature (journals, conferences, papers, etc.)

0· 138·1 current·2 all-time
by@lean-zhouchao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (curl), declared env var (BAIDU_API_KEY), SKILL.md endpoint, and the included bash script all align with a search wrapper for Baidu Scholar. Nothing requested appears unrelated to the stated purpose.
Instruction Scope
Runtime instructions and the bash script stay within the search scope (they send the keyword/page/abstract flags to the Baidu endpoint). Minor implementation issues: the script inserts the keyword into the URL without URL-encoding or sanitization, which may cause broken requests or unexpected encoding and could alter queries sent to the remote endpoint. The script also adds a custom header (X-Appbuilder-From: openclaw) which leaks that the request originated from this skill.
Install Mechanism
Instruction-only with a small bash script and no install spec — lowest-risk class. No downloads or archives; nothing is written to disk beyond the included script.
Credentials
Requesting a single BAIDU_API_KEY is proportionate to calling the Baidu API. The skill will send that key in an Authorization: Bearer header to qianfan.baidubce.com (the declared endpoint), so protect the key as it is transmitted to a third party. No other credentials or unrelated env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. It does not modify other skills or agent configs.
Assessment
This skill appears to do what it says: it sends your search terms (and optionally requested abstracts) to a Baidu endpoint using the BAIDU_API_KEY you provide. Before installing: 1) Confirm you trust the endpoint (qianfan.baidubce.com) and that your BAIDU_API_KEY has only the permissions it needs; 2) Be aware that search queries and any requested abstracts are transmitted to Baidu — avoid sending sensitive or private text; 3) Consider URL-encoding user-supplied keywords (the included script does not) to avoid malformed requests or accidental leakage of special characters; 4) Note metadata inconsistencies in owner/version fields in the package files — verify the publisher if provenance matters; 5) Protect the BAIDU_API_KEY (use least-privileged keys and rotate if compromised). If you need stronger guarantees about input handling or privacy, request a version that URL-encodes inputs and documents the exact API behavior and data retention policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97771096pcewjw4n8724kq8t1833mze

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔬 Clawdis
Binscurl
EnvBAIDU_API_KEY
Primary envBAIDU_API_KEY

Comments