Baidu Search Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a Baidu search compatibility alias, but it runs another unbundled skill to do the real work, so the reviewed package does not show the code that will handle searches and the API key.
Treat this as a review-required alias rather than a standalone search implementation. Before installing, inspect and trust the referenced realtime-web-search skill, confirm the metadata mismatch is intentional, and use a limited Baidu API key where possible.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill may execute whatever realtime-web-search script is installed locally, including a modified or untrusted copy, while operating under the same environment.
The included script does not implement the search itself; it executes a sibling skill file outside this package. That referenced file is not present in the manifest or pinned by an install spec, so the main runtime behavior is not reviewable from these artifacts.
Path(__file__).resolve().parents[3] / "custom-skills" / "realtime-web-search" / "scripts" / "search.py" ... runpy.run_path(str(CANONICAL_SCRIPT), run_name="__main__")
Only use this alias after verifying and trusting the installed realtime-web-search skill. The publisher should declare a pinned dependency or include the canonical implementation for review.
Users may have difficulty confirming which publisher and version they are actually trusting.
The supplied registry metadata and packaged _meta.json disagree on owner, slug, and version. This may be due to aliasing, but it weakens provenance clarity.
Registry: owner kn7a0xrbfcgjgbaxc749q50g6s82cvr3, slug baidu-search-pro, version 1.0.1; _meta.json: ownerId kn7akgt520t01vgs2tzx7yk6m180kt26, slug baidu-search, version 1.1.2
Verify the publisher identity and intended alias relationship before installation; the package should align registry and bundled metadata.
Searches may consume quota, incur cost, or be associated with the Baidu account tied to the key.
The skill explicitly requires a Baidu API key. This is expected for a Baidu search integration, but it is still account credential access.
"requires": { "anyBins": ["python", "python3", "py"], "env":["BAIDU_API_KEY"]},"primaryEnv":"BAIDU_API_KEY" ... "Required environment variable"Use a limited-scope key if available, monitor usage, and do not expose a sensitive production key unless the delegated search implementation is trusted.