Back to skill

Security audit

Baidu API Search

Security checks across malware telemetry and agentic risk

Overview

This is a Baidu search helper that sends search topics to Baidu and saves local result files, with no evidence of hidden, destructive, or unrelated behavior.

Install this only if you are comfortable providing a Baidu AI Search/AppBuilder API key and sending search topics to Baidu. Use a dedicated key, monitor quota or billing, use --no-cache for sensitive or current searches, and clear the local runs/cache directories when retained queries or raw results should not remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The cache stores full search queries and raw API responses on local disk, which can contain sensitive user prompts, URLs, or returned content. In an agent setting, users may issue private or regulated queries, so silent persistence increases privacy and data-retention risk if the host is shared or logs are later collected.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README explicitly states that the skill writes `research_pack.md`, `raw_results.jsonl`, and `run_summary.json`, but it does not warn that these files may persist retrieved web content locally. In agent or shared-workstation environments, this can expose sensitive queries, retrieved content, or browsing artifacts to other users, logs, backups, or downstream tooling.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The recommended trigger guidance is very broad and maps common user phrases such as “查一下”, “搜索”, and “联网查” directly to this skill. In an agent environment, that can cause unintended or over-frequent invocation, leading to unnecessary network access, privacy surprises, and tool selection errors when the user did not explicitly intend Baidu-based retrieval.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger guidance is broad enough to match common Chinese phrases like '查一下' or '最新', which could cause the skill to activate when the user did not specifically intend external network search. That can lead to unnecessary outbound requests, privacy leakage of user queries, and unexpected consumption of API quota.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Instructing agents to prefer this skill over generic search for broad classes of requests, while defaulting to a Chinese retrieval flow, can override user intent and automatically route queries to an external provider without explicit confirmation. In contexts where prompts may contain sensitive or non-Chinese content, this increases the risk of unintended disclosure and inappropriate data handling.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The default prompt uses broad phrases such as “查一下”, “搜索”, “联网查”, “最近”, “最新”, and “热点”, which are common in ordinary user requests. This can cause the agent to invoke this skill in many unrelated situations, overriding more appropriate tools and increasing the attack surface for prompt-routing manipulation or unintended external data access.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The prompt hard-codes Chinese-language search behavior and instructs the agent to prefer this skill over a general web search tool, without checking the user's language or consent. This can lead to mismatched results, reduced user control, and inappropriate routing of requests to a region-specific external service when the user did not ask for Chinese-language sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document states that the cache stores request payloads and raw API responses, but it does not warn operators that these artifacts may contain user queries, sensitive topics, or other personal/business data that will persist on disk for up to 24 hours or longer if unmanaged. In an agent setting, search inputs often originate from user prompts, so silent retention increases privacy, data-handling, and local disclosure risk, especially on shared hosts or in loosely controlled workspaces.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cache mechanism persists user queries and API responses without a strong user-facing warning, making it easy to retain sensitive search data unintentionally. In a research/search skill, this is especially relevant because queries may include confidential business, personal, or investigative content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Writing full results to an arbitrary output file can persist sensitive search terms and returned content without clearly informing the user. This is a privacy/security issue rather than code execution, but in an agent workflow it can cause unintentional local data leakage and long-term retention.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script generates a persistent Markdown report containing search queries, source titles, URLs, and snippets, which can include sensitive research topics, internal investigation subjects, or personal data returned by search results. In an agent context, automatically writing this material to disk without minimization, redaction, or an explicit warning increases the risk of unintended data retention, later disclosure, and leakage through logs, backups, or shared artifacts.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The code sends the user-provided topic directly to Baidu Baike and, when enabled, to a fallback web search service. In an agent context, user prompts may contain sensitive or unintended data, so transmitting them to third-party services without an explicit notice or consent mechanism creates a real privacy/data-handling risk, even though this appears to be normal functionality rather than malicious behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.