Baidu Search Node
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Baidu search function is coherent, but its documented integration builds a shell command from the search query without safe argument handling.
Install only if you are comfortable with a Node.js scraper sending your search terms to Baidu. If integrating it, do not use the execSync command-string example as written; use safe argument passing instead.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user copies this wrapper as written, a specially crafted search query could cause unintended local shell commands to run.
The documented usage builds a shell command string with the user-controlled search query. Double quotes do not safely prevent shell metacharacter or command-substitution issues.
const cmd = `node "${scriptPath}" "${query}" -n ${count}`;
const output = execSync(cmd, { encoding: 'utf-8' });Invoke the script with a safe argument API such as child_process.execFile or spawn using an argument array, validate count as a number, and avoid passing user input through a shell string.
Dependency installation can introduce normal package supply-chain risk, even though the included package-lock lists pinned resolved versions and integrity values.
The documented setup installs third-party npm packages. This is expected for the Node.js scraper, but it relies on external package sources during setup.
npm install axios cheerio commander
Prefer installing from the included lockfile with npm ci, review the package-lock sources, and avoid replacing pinned dependencies unless needed.