critical
suspicious.exposed_secret_literal
- Location
- references/error_codes.md:104
- Finding
- File appears to expose a hardcoded API secret or token.
百度文档解析pipeline-parser
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Using this skill requires giving the agent access to Baidu API credentials for document parsing requests.
Why it was flagged
The skill asks for Baidu API credentials. This is expected for the stated Baidu API integration, but it grants access to the user's Baidu AI service account and quota.
Skill content
export BAIDU_DOC_AI_API_KEY="your_api_key" export BAIDU_DOC_AI_SECRET_KEY="your_secret_key"
Recommendation
Use a dedicated Baidu application/key with the minimum needed permissions and quota, store credentials in environment/config rather than command history, and rotate the key if it is exposed.
What this means
Documents processed with this skill may be transmitted to Baidu, and parsed results may be returned through provider-hosted URLs.
Why it was flagged
The script sends the selected document data or document URL to Baidu's parsing API. This is central to the skill's purpose but is still a third-party data flow.
Skill content
if file_data:
params['file_data'] = file_data
elif file_url:
params['file_url'] = file_url
...
response = requests.post(url, headers=headers, data=payload.encode("utf-8"))Recommendation
Only submit documents you are allowed to send to Baidu, avoid highly sensitive files unless the provider terms and retention policy are acceptable, and be careful when using public file URLs.
What this means
The package identity/provenance is slightly unclear, which can make it harder to verify that the reviewed artifact matches the intended published skill.
Why it was flagged
The packaged _meta.json identity does not match the registry slug/version shown for this skill, which lists baidu-doc-pipeline-parser version 1.0.5.
Skill content
"slug": "xmind-doc-parser", "version": "1.0.1"
Recommendation
Confirm the publisher and package version before installing, and ask the maintainer to align _meta.json with the registry metadata.
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- scripts/baidu_doc_parser.py:34
- Finding
- File appears to expose a hardcoded API secret or token.