Tianshu Baidu Search
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Baidu web-search skill that uses a Baidu API key and sends search queries to Baidu’s API.
This skill looks safe for its stated purpose. Before installing, make sure you are comfortable providing a Baidu API key and sending search queries to Baidu, and confirm Node.js is available because the runtime dependency is not fully declared.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches made through the skill may use the user’s Baidu API account, quota, or billing configuration.
The script reads the Baidu API key from the environment and uses it as a Bearer token for the Baidu API. This is expected for the stated search integration, but it gives the skill access to the user’s Baidu API quota/account for searches.
const apiKey = process.env.BAIDU_API_KEY; ... Authorization: `Bearer ${apiKey}`Use a Baidu API key intended for this purpose, monitor quota/billing, and rotate or revoke the key if you no longer use the skill.
Any private or sensitive text included in a search query would be transmitted to Baidu’s API.
The user-provided search query is sent to Baidu’s Qianfan AI Search endpoint. This is central to the skill’s purpose and the destination is clear, but users should understand that queries leave the local environment.
messages: [{ content: params.query, role: 'user' }] ... fetch('https://qianfan.baidubce.com/v2/ai_search/web_search'Avoid putting secrets or sensitive personal/business data in search queries unless you are comfortable sending them to Baidu under its API terms.
The skill may not work unless Node.js is already available, and the registry metadata does not fully describe that requirement.
The documentation relies on running a Node.js script, while the supplied requirements list no required binaries and there is no install spec. This is an under-declared runtime dependency, though the included package has no external dependencies.
Node.js 实现 ... node scripts/search.js '{"query":"人工智能"}'Verify Node.js is available before use; the publisher should declare Node as a required runtime for clarity.