Baidu Nearby / 百度能力集合

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a purpose-aligned Baidu search/maps helper, but it uses a Baidu API key and sends search or location queries to Baidu.

Before installing, confirm the package version/source, configure a restricted Baidu API key, and remember that route endpoints, nearby searches, coordinates, and web searches will be sent to Baidu when used.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Your Baidu LBS API key may be used for geocoding, directions, and nearby-place requests.

Why it was flagged

The skill requires a sensitive Baidu LBS API key for its map features. This is expected for the stated purpose, but it grants the skill access to use that key and consume related quota.

Skill content

BAIDU_API_KEY: ... used for map route planning and nearby place search ... required: true ... sensitive: true

Recommendation

Use a dedicated, restricted Baidu AK if possible, monitor quota, and avoid sharing a key with broader permissions than the skill needs.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Addresses, coordinates, route endpoints, nearby-search categories, and web search terms may be disclosed to Baidu when the skill is used.

Why it was flagged

Nearby search sends user-provided location/category data and the Baidu API key to Baidu's API over HTTPS. This is purpose-aligned, but location data can be sensitive.

Skill content

base_url = "https://api.map.baidu.com/place/v2/search" ... 'location': f"{lat},{lng}" ... 'query': query or '美食' ... 'ak': ak

Recommendation

Use the skill only when you intend to query Baidu, and avoid entering highly sensitive personal locations or searches unless you are comfortable sharing them with that provider.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It may be harder to confirm exactly which package version or source you are installing.

Why it was flagged

The bundled metadata version differs from the registry/SKILL version 1.0.4, and the registry source/homepage are absent. This is a provenance/versioning note, not evidence of malicious behavior.

Skill content

"version": "1.0.3"

Recommendation

Verify the publisher and expected version before installation, especially because the skill uses an API key.