Bailian Web Search Hardened
PassAudited by ClawScan on May 3, 2026.
Overview
This skill is a straightforward Alibaba Bailian web-search wrapper that requires an API key and sends search queries to Alibaba Cloud, with a minor limit-enforcement caveat.
Install only if you are comfortable sending search queries to Alibaba Cloud through your DashScope API key. Avoid putting private information into searches, protect the API key, and keep result counts modest because the script does not enforce the documented 20-result maximum.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume the user's Alibaba Cloud quota or incur costs tied to the configured API key.
The skill requires a DashScope/Bailian API key, which gives the script delegated access to the user's Alibaba Cloud search service.
requires":{"bins":["bash","curl","jq"],"env":["DASHSCOPE_API_KEY"]},"primaryEnv":"DASHSCOPE_API_KEY"Use a scoped API key where possible, monitor usage, and do not share or paste the key into conversations or logs.
Search terms are disclosed to Alibaba Cloud, so private or confidential conversation details should not be included in queries.
The script sends JSON-RPC requests, including the user-provided search query, to Alibaba Cloud's MCP WebSearch endpoint.
MCP_URL="https://dashscope.aliyuncs.com/api/v1/mcps/WebSearch/mcp"
Keep search queries generic and avoid including credentials, private names, financial data, internal project names, or other sensitive context.
A mistaken or excessive count value could cause unexpectedly large API requests or consume more quota than intended.
The script validates that count is numeric but does not enforce the SKILL.md documented maximum of 20 results.
if ! [[ "$COUNT" =~ ^[0-9]+$ ]]; then ... --argjson count "$COUNT"
Keep result counts at or below 20 and consider adding an explicit script-side cap to match the documented behavior.