ClawHub

Baidu Nearby / 百度能力集合

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Baidu search and maps helper, with expected privacy considerations when it sends searches, addresses, coordinates, and a Baidu API key to Baidu.

Install this only if you are comfortable sending search terms, addresses, coordinates, route endpoints, nearby-place categories, and your Baidu API key to Baidu. Use a dedicated restricted Baidu key, monitor quota, and avoid entering highly sensitive personal locations unless that disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares sensitive environment-variable usage and network access in metadata and examples, but does not explicitly declare permissions for those capabilities. In agent systems that rely on declared permissions for policy enforcement or user awareness, this mismatch can lead to over-privileged execution, hidden data access, or unsafe invocation without proper review.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The English 'Use when' text is broad enough to match generic web search, travel, and local recommendation requests, which increases the chance the agent will invoke this skill in situations where the user did not specifically intend to use Baidu services. Overbroad triggering can cause unintended network calls, unnecessary exposure of user location or query data to a third-party provider, and reduced user control over tool selection.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Chinese 'Use when' guidance mirrors the same overbroad routing problem and could cause the skill to be selected for general search or location tasks without sufficient specificity. Because this skill handles location queries and uses external APIs, accidental invocation may disclose user queries, destinations, or coordinates to Baidu when a narrower or local tool would have sufficed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal