baidu-scholar-search

The skill bundle contains a shell injection vulnerability in both `baidu_scholar_search.sh` and the `EXEC` section of `SKILL.md`. The user-provided search keyword `$WD` is expanded within a double-quoted string in a `curl` command without any sanitization, allowing for arbitrary command execution via subshells (e.g., using `$(...)` or backticks). While the tool's logic is consistent with its stated purpose of academic searching via the SkillBoss API (`api.heybossai.com`), the high-risk implementation of command construction makes it unsafe for use without modification.