Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Baidu Search Node
v1.1.0通过 Node.js 脚本调用百度搜索 API,可按关键字和数量参数获取排序、标题、摘要和链接的搜索结果。
⭐ 0· 854·5 current·5 all-time
bywangsihong@wsh66660
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description/summary suggests calling a Baidu search API, but the SKILL.md and baidusearch.js clearly implement web scraping of baidu.com (no API key required). This is a semantic mismatch: consumers expecting an official API client (stable query params, time/quality filters) will instead get an HTML scraper with brittle parsing. The SKILL.md explicitly contrasts this tool with an "official API" and admits it is a crawler.
Instruction Scope
Runtime instructions tell the agent to run a local Node script via node/child_process.execSync and to install axios/cheerio/commander. The SKILL.md points to a hard-coded absolute path (/Users/mac/.openclaw/workspace/skills/...), which may not match other user environments and could cause the agent to execute unexpected local files if paths are different. Aside from calling the local script and performing outbound HTTP requests to baidu.com, the instructions do not ask the agent to read unrelated files or credentials.
Install Mechanism
There is no automated install spec (instruction-only plus included code). Dependencies are standard Node packages (axios, cheerio, commander). The package-lock shows packages resolved from Chinese npm mirrors (r.cnpmjs.org / r2.cnpmjs.org) rather than the official registry; this is notable but consistent with typical mirrors and not inherently malicious.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate to a web-scraping/search helper. No secrets-exfiltration indicators are declared in the SKILL.md or package files.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or claim to modify other skills. The SKILL.md shows the agent invoking a local script (normal for this skill type).
What to consider before installing
This skill is a web-scraper that fetches HTML from baidu.com and parses results — it is not an official Baidu API client despite the description. Before installing: (1) accept that scraped HTML is brittle and may break or return unexpected content (and could include ads); (2) review the full baidusearch.js to ensure there are no hidden remote endpoints or unexpected behaviors (current code shows only requests to baidu.com); (3) be aware the SKILL.md uses a hard-coded /Users/mac path — update to a correct path for your environment to avoid executing unknown local files; (4) the package-lock references cnpm mirrors — if your environment requires packages from the official npm registry, re-install dependencies from registry.npmjs.org or inspect the packages; (5) run the skill in a sandbox or non-production environment first if you have concerns about scraping TOS or outbound network activity. If you expected an official Baidu API client (with API-key features or filters), do not rely on this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9784v43dhhey5kq0eqz6xc87h81zw3k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.