Baidu Chinese Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Baidu search integration, but users should treat searches and the Baidu API key as sensitive.

Install only if you are comfortable sending search queries to Baidu AI Search. Do not search for secrets, private personal data, or confidential internal material, and protect the Baidu API key in your local OpenClaw config with appropriate file permissions and rotation if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation does not clearly warn that user queries are sent to an external third-party search provider using a configured API key. Users may submit sensitive prompts or internal data under the assumption of local processing, causing unintentional disclosure to Baidu and associated logging or retention by the external service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide tells users to place a live Baidu API key directly into a local JSON configuration file and provides no warning about credential sensitivity, file permissions, redaction, or secret-management alternatives. This increases the risk of accidental disclosure through backups, screenshots, support bundles, shared home directories, source control, or overly permissive filesystem access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal