Baidu Web Search
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Baidu web-search skill that uses a Baidu API key, with minor install/provenance details users should notice.
This skill looks suitable for its stated purpose if you want Baidu Qianfan web search. Before installing, confirm the publisher/version because the embedded metadata differs from the registry summary, and provide the Baidu API key only through trusted OpenClaw configuration or a private local setup.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires giving it access to a Baidu Qianfan API key, which could incur usage or billing on that Baidu account.
The script reads a Baidu API key from the environment or local config and uses it as a bearer token for the Baidu Qianfan API. This is expected for the search service, but it is still credential use.
const envKey = (process.env.BAIDU_API_KEY || '').trim(); ... Authorization: `Bearer ${apiKey}`Use a dedicated, least-privilege Baidu API key if possible, configure it through OpenClaw’s credential settings rather than pasting it into public chats, and rotate it if exposed.
The agent may run the provided search script when web search is needed.
The skill directs the agent to execute a local Node.js script for searches. This is narrow and purpose-aligned, but users should recognize that the skill invokes local code.
仅执行 `node scripts/search.js "<query>" [num_results]`
Review the script before use and keep invocation limited to user-relevant search queries.
It may be harder to confirm that the uploaded artifact corresponds exactly to the registry listing.
The included package metadata does not match the registry summary, which lists a different owner ID, slug, and version. This is a provenance inconsistency, though the provided code itself is coherent.
"ownerId": "kn7aca6jsrdadmb48z70w613gx80d2aq", "slug": "baidu-web-search", "version": "1.1.0"
Verify the publisher and package version before installing, especially because the skill uses an API key.
Dependency resolution could vary between installations.
The skill depends on an npm package with a semver range and no lockfile shown. This is common for Node integrations but means future installs may resolve a different dependency version.
"dependencies": { "axios": "^1.6.0" }Install from a trusted registry and consider pinning dependencies or using a lockfile in controlled deployments.