ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baidu Smart Search

v0.1.1

Call Baidu Qianfan web search APIs to search the live web with AppBuilder credentials and return structured results. Use when a task specifically needs Baidu...

0· 96·0 current·0 all-time
byWinrunner_20@windrunner20·duplicate of @windrunner20/windrunner20-baidu-qianfan-search

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for windrunner20/baidu-smart-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Baidu Smart Search" (windrunner20/baidu-smart-search) from ClawHub.
Skill page: https://clawhub.ai/windrunner20/baidu-smart-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install baidu-smart-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install baidu-smart-search
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name, description, references, and the included script all consistently implement a Baidu Qianfan web search client. However the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts/qianfan_search.py clearly require QIANFAN_APPBUILDER_API_KEY (or --api-key). The missing declared credential is an inconsistency.
Instruction Scope
SKILL.md instructs the agent/user to set the AppBuilder API key and run the included Python wrapper. The runtime instructions and script only perform expected actions: build a JSON payload and POST to the documented Baidu Qianfan endpoint, then normalize results. There are no instructions to read unrelated files, harvest other environment variables, or send data to third-party endpoints beyond the (documented) API. One minor note: the script accepts a --url override, which lets callers point to a non-default endpoint if intentionally used.
Install Mechanism
No install spec; this is an instruction-only skill with a small included Python script. Nothing is downloaded or installed by the skill, so install risk is low.
!
Credentials
The skill legitimately needs an AppBuilder API key (QIANFAN_APPBUILDER_API_KEY) to authenticate to the Baidu endpoint; that is proportionate to its purpose. However the skill metadata does not declare this required environment variable or a primary credential, creating an information gap. The SKILL.md appropriately warns not to publish keys, but the mismatch between declared requirements and runtime expectations is problematic for users and for automated permission/credential checks.
Persistence & Privilege
The skill does not request always:true and contains no install steps that persist beyond the skill files. It does network I/O only when invoked and does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it claims (wrap Baidu Qianfan web_search). Before installing or running it: 1) be aware you must provide an AppBuilder API key (QIANFAN_APPBUILDER_API_KEY) even though the registry metadata doesn't declare it — prefer a dedicated, least-privilege key. 2) Don't publish or commit your .env or API key; follow the SKILL.md security rules. 3) Review the default endpoint (https://qianfan.baidubce.com/...) and avoid using the --url override unless you control the target, since pointing the script to an attacker-controlled URL could expose your key. 4) Ask the publisher to update the skill metadata to list the required environment variable and primary credential so automated tooling and other users can correctly assess required secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b4sfbvz179fmdx7dkzcw0d83qh7v
96downloads
0stars
1versions
Updated 1mo ago
v0.1.1
MIT-0
Winrunner_20@windrunner20
latest
Download

Baidu Qianfan Search

Use this skill to query Baidu Qianfan's web search API and return structured search results without scraping websites directly.

Quick start

  1. Store the API key in an environment variable before running scripts:
export QIANFAN_APPBUILDER_API_KEY='...'

Or keep it in a local untracked file such as .env.local and source it manually:

set -a
source ./.env.local
set +a
  1. Run the bundled script:
python3 scripts/qianfan_search.py "北京有哪些旅游景区"
  1. For raw JSON debugging:
python3 scripts/qianfan_search.py "北京有哪些旅游景区" --raw

Common patterns

Basic web search

python3 scripts/qianfan_search.py "百度千帆平台"

Restrict to specific sites

python3 scripts/qianfan_search.py "天气预报" --site weather.com.cn --site www.weather.com.cn

Filter by recency

python3 scripts/qianfan_search.py "近期 AI 智能体新闻" --recency week

Request images or videos too

python3 scripts/qianfan_search.py "故宫博物院" --web-top-k 5 --image-top-k 5 --video-top-k 3 --raw

Output handling

  • Default mode prints a normalized JSON object with query, count, items, and discovered raw_keys.
  • --raw prints the full upstream JSON for troubleshooting or adapting to API changes.
  • If Baidu changes response fields, inspect raw output first, then patch scripts/qianfan_search.py.

Security rules

  • Never place the real API key in SKILL.md or references/.
  • Never publish .env.local to ClawHub.
  • Before packaging or publishing, delete any local secret files from the skill folder or ensure the publisher excludes them.

References

  • Read references/api.md for the concise endpoint and parameter summary.
  • Use scripts/qianfan_search.py as the canonical wrapper for the API.

Comments

Loading comments...