Baidu Scholar Search Skill 1.1.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Baidu Scholar search helper that sends user-directed search queries to Baidu using a required API key.

Install only if you are comfortable using your Baidu API key and sending search keywords, page number, and abstract preference to Baidu's service. Avoid submitting secrets, private research topics, personal data, or confidential internal project names unless that is acceptable under your privacy requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The abstract-retrieval guidance relies on broad, ambiguous natural-language cues such as 'I need to understand the paper content' rather than explicit consent. That can cause the agent to send more detailed user queries and retrieve more third-party content than necessary, increasing unnecessary data disclosure and external content exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation specifies an external Baidu API endpoint and API key requirement but does not warn that user-supplied search terms are transmitted off-platform. Search keywords may contain sensitive research topics, internal project names, or personal data, so failing to disclose this external transmission creates a privacy and compliance risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal