ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ernie-integration

v1.0.4

Step-by-step guide for integrating Baidu ERNIE 5.0 (Qianfan) models into Clawdbot. Use when someone asks how to add ERNIE models, configure Baidu Qianfan, or...

0· 238·0 current·0 all-time
by@mattheliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (ERNIE integration) matches the runtime instructions (how to add ERNIE, editing clawdbot.json, example requests). However the declared metadata lists no required environment variables or primary credential while the instructions explicitly require ERNIE_API_KEY (Baidu BCE API key). That discrepancy is incoherent and may mislead automated checks or users.
Instruction Scope
SKILL.md stays within the stated purpose: it explains how to obtain a Baidu Qianfan API key, set ERNIE_API_KEY in shell rc, add provider config to clawdbot.json, restart the gateway, and test the endpoint. It only references config files and shell environment variables directly relevant to integration and does not request unrelated system files or other credentials.
Install Mechanism
There is no install specification and no code is written to disk by the skill itself (instruction-only). This is the lowest-risk install mechanism; nothing is downloaded or executed by the skill package.
!
Credentials
The instructions require a Baidu Qianfan API key (ERNIE_API_KEY) which is an appropriate and necessary secret for the stated purpose. However the skill metadata does not declare this required environment variable or a primary credential. That omission reduces transparency and could cause automation or reviewers to miss that a secret will be used. The number and scope of environment variables in the instructions are otherwise proportional (only the single service API key).
Persistence & Privilege
The skill does not request always:true and does not claim any special persistent privileges. It does not modify other skills' configurations and only instructs users to update their own clawdbot.json and shell rc files (normal for integration guides).
What to consider before installing
This is an instruction-only integration guide that appears legitimate for adding Baidu ERNIE to Clawdbot, but note a metadata mismatch: the SKILL.md tells you to create and export ERNIE_API_KEY, while the skill's registry metadata lists no required environment variables. Before installing or following automated install steps: (1) treat ERNIE_API_KEY as a sensitive secret—do not commit it to version control and prefer a secrets manager over plain ~/.bashrc when possible; (2) verify the baseUrl (https://qianfan.baidubce.com/v2) and the official Baidu docs/console links yourself; (3) confirm how Clawdbot stores the apiKey in clawdbot.json so it isn't logged or exposed; (4) ask the skill author or registry maintainer to update the skill metadata to declare ERNIE_API_KEY as a required credential so automated reviewers and users see the dependency; and (5) rotate the key if you test it in shared/suspect environments. This looks like sloppy metadata rather than malicious behavior, but the omission reduces transparency—proceed carefully.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6j7pxz1q9fbrt7rrv247dx82v7g6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments