Realtime Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward Baidu-backed web search skill that needs a Baidu API key and sends user search queries to Baidu, with minor setup and documentation caveats.
Install this skill if you are comfortable with your search queries being sent to Baidu Qianfan using your BAIDU_API_KEY. Use a limited-scope key, avoid private or secret material in queries, keep endpoint override variables trusted, and do not set BAIDU_SECRET_KEY unless the OAuth fallback is actually needed and implemented.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search terms and filters may be visible to Baidu or to any endpoint configured through override variables.
The script sends the constructed search request, including the user's query, to the selected external endpoint. This is purpose-aligned for realtime web search, but it is still an external provider data flow.
resp = requests.post(url, json=request_body, headers=headers, timeout=30)
Avoid placing private secrets in search queries, and keep endpoint override environment variables set only to trusted Baidu or trusted proxy endpoints.
The configured Baidu key may consume account quota or exercise permissions associated with that key.
The skill uses BAIDU_API_KEY as a bearer credential for provider API access. This is expected for the stated Baidu search integration, but it uses the user's account/API privileges.
"Authorization": f"Bearer {api_key}"Use a scoped Baidu key with only the needed search capabilities, rotate it if exposed, and do not share command output or environment details that could reveal credentials.
The skill may rely on whatever requests version is already installed in the local Python environment.
The code depends on the third-party requests package, while the provided install information does not declare a package install or pinned dependency. No remote installer is shown, so this is a setup/provenance note rather than a suspicious behavior.
import requests
If installation is needed, install requests from a trusted package source and prefer a pinned, maintained version; the publisher should declare this dependency.
A user may place an unnecessary extra secret in their environment.
The documentation asks users to configure an additional BAIDU_SECRET_KEY for an OAuth fallback, but the supplied script only reads BAIDU_API_KEY. This appears to be a documentation mismatch, not credential exfiltration.
API Key + Secret Key(OAuth 回退)... 分别写入环境变量 `BAIDU_API_KEY` 与 `BAIDU_SECRET_KEY`.
Only set BAIDU_API_KEY unless OAuth fallback support is verified in the actual code or future documentation.