ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baidu Smart Search

v0.1.1

Call Baidu Qianfan web search APIs to search the live web with AppBuilder credentials and return structured results. Use when a task specifically needs Baidu...

0· 76·0 current·0 all-time
byWinrunner_20@windrunner20·duplicate of @windrunner20/windrunner20-baidu-qianfan-search
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name, description, references, and the included script all consistently implement a Baidu Qianfan web search client. However the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts/qianfan_search.py clearly require QIANFAN_APPBUILDER_API_KEY (or --api-key). The missing declared credential is an inconsistency.
Instruction Scope
SKILL.md instructs the agent/user to set the AppBuilder API key and run the included Python wrapper. The runtime instructions and script only perform expected actions: build a JSON payload and POST to the documented Baidu Qianfan endpoint, then normalize results. There are no instructions to read unrelated files, harvest other environment variables, or send data to third-party endpoints beyond the (documented) API. One minor note: the script accepts a --url override, which lets callers point to a non-default endpoint if intentionally used.
Install Mechanism
No install spec; this is an instruction-only skill with a small included Python script. Nothing is downloaded or installed by the skill, so install risk is low.
!
Credentials
The skill legitimately needs an AppBuilder API key (QIANFAN_APPBUILDER_API_KEY) to authenticate to the Baidu endpoint; that is proportionate to its purpose. However the skill metadata does not declare this required environment variable or a primary credential, creating an information gap. The SKILL.md appropriately warns not to publish keys, but the mismatch between declared requirements and runtime expectations is problematic for users and for automated permission/credential checks.
Persistence & Privilege
The skill does not request always:true and contains no install steps that persist beyond the skill files. It does network I/O only when invoked and does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it claims (wrap Baidu Qianfan web_search). Before installing or running it: 1) be aware you must provide an AppBuilder API key (QIANFAN_APPBUILDER_API_KEY) even though the registry metadata doesn't declare it — prefer a dedicated, least-privilege key. 2) Don't publish or commit your .env or API key; follow the SKILL.md security rules. 3) Review the default endpoint (https://qianfan.baidubce.com/...) and avoid using the --url override unless you control the target, since pointing the script to an attacker-controlled URL could expose your key. 4) Ask the publisher to update the skill metadata to list the required environment variable and primary credential so automated tooling and other users can correctly assess required secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b4sfbvz179fmdx7dkzcw0d83qh7v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments