baidu web search
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can consume the user's Baidu Qianfan account quota and depends on keeping the API key private.
The script reads a Baidu API key from the environment or local config and uses it as a bearer credential for the Baidu Qianfan search API.
const envKey = (process.env.BAIDU_API_KEY || '').trim(); ... Authorization: `Bearer ${apiKey}`Configure the API key through the platform's secret or environment-variable mechanism when possible, avoid sharing it in public chats or logs, and rotate it if exposed.
Search terms may be visible to or processed by Baidu, so private or secret content in queries could leave the local environment.
User-provided search queries are sent to Baidu's Qianfan web search endpoint, which is expected for this skill but is still an external data flow.
const SEARCH_URL = 'https://qianfan.baidubce.com/v2/ai_search/web_search'; ... messages: [{ role: 'user', content: query }]Use the skill only for queries you are comfortable sending to Baidu, and avoid including passwords, API keys, private documents, or other secrets in search terms.
A dependency update could change the installed code used by the skill, although this is common for npm-based integrations and no suspicious dependency behavior is shown here.
The skill relies on an npm dependency with a caret version range, so future installs may resolve to newer axios versions.
"dependencies": { "axios": "^1.6.0" }Install from trusted sources and consider using a lockfile or pinned dependency versions in controlled environments.