Back to plugin

Security audit

Baidu Search Provider

Security checks across malware telemetry and agentic risk

Overview

The plugin mostly matches its Baidu search purpose, but the submitted artifacts include real-looking credentials, including an npm publish token, which creates a serious review concern.

Treat this as a review-needed plugin until the publisher removes the .env file, rotates the exposed credentials, and republishes a clean artifact. The Baidu search functionality itself is coherent, but users should also understand that the agent can automatically send search queries to Baidu when the tool or hook is enabled.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.cjs:40
Evidence
const value = process.env[key];

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:12
Evidence
const value = process.env[key];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
.env:1
Evidence
export BAIDU_API_KEY=[REDACTED]

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.cjs:132
Evidence
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:104
Evidence
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config.ts:124
Evidence
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),