Tianshu Baidu Search
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tianshu-baidu-search Version: 1.0.0 The skill bundle provides a straightforward Node.js implementation for searching the web via the Baidu AI Search API. The script (scripts/search.js) correctly handles environment variables for authentication and communicates only with the official Baidu endpoint (qianfan.baidubce.com) without any signs of data exfiltration, obfuscation, or malicious execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Searches made through the skill may use the user’s Baidu API account, quota, or billing configuration.
The script reads the Baidu API key from the environment and uses it as a Bearer token for the Baidu API. This is expected for the stated search integration, but it gives the skill access to the user’s Baidu API quota/account for searches.
const apiKey = process.env.BAIDU_API_KEY; ... Authorization: `Bearer ${apiKey}`Use a Baidu API key intended for this purpose, monitor quota/billing, and rotate or revoke the key if you no longer use the skill.
Any private or sensitive text included in a search query would be transmitted to Baidu’s API.
The user-provided search query is sent to Baidu’s Qianfan AI Search endpoint. This is central to the skill’s purpose and the destination is clear, but users should understand that queries leave the local environment.
messages: [{ content: params.query, role: 'user' }] ... fetch('https://qianfan.baidubce.com/v2/ai_search/web_search'Avoid putting secrets or sensitive personal/business data in search queries unless you are comfortable sending them to Baidu under its API terms.
The skill may not work unless Node.js is already available, and the registry metadata does not fully describe that requirement.
The documentation relies on running a Node.js script, while the supplied requirements list no required binaries and there is no install spec. This is an under-declared runtime dependency, though the included package has no external dependencies.
Node.js 实现 ... node scripts/search.js '{"query":"人工智能"}'Verify Node.js is available before use; the publisher should declare Node as a required runtime for clarity.