Bailian Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Alibaba Cloud web-search connector, with the main considerations being that it uses your DashScope API key, sends searches to Alibaba Cloud, and returns untrusted web content.
Install only if you are comfortable using an Alibaba Cloud DashScope API key and sending search queries to DashScope. Store the key carefully, watch for API usage or costs, and treat returned web results as untrusted information rather than instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misleading search snippet could influence the assistant if the assistant over-trusts retrieved web content.
The skill intentionally places live web-search content into the assistant's context. Web results can contain misleading or instruction-like text, so they should not be treated as authoritative instructions.
3. Retrieves real-time search results 4. Returns structured content to the AI
Treat returned search results as untrusted reference material and require user confirmation before taking actions based on instructions found in results.
If the key is exposed, someone could use your DashScope account quota or incur usage tied to your Alibaba Cloud account.
The skill requires a DashScope API key and shows both persistent local configuration and bearer-token use. This is expected for the service, but it is still credential-bearing account access.
echo 'export DASHSCOPE_API_KEY="your-dashscope-api-key"' >> ~/.zshrc ... "Authorization": "Bearer ${DASHSCOPE_API_KEY}"Use a scoped key if available, store it in your preferred secrets mechanism, avoid pasting real keys into shared shell history, and rotate the key if it may have been exposed.
Search terms, including any sensitive details entered in them, are transmitted to Alibaba Cloud DashScope.
The script opens an external MCP/SSE session with DashScope and sends the user's search query as a tool-call argument. This is purpose-aligned but means the provider can see the query.
requests.get('https://dashscope.aliyuncs.com/api/v1/mcps/WebSearch/sse' ...); ... 'arguments':{'query':query,'count':count}Avoid sending secrets or highly sensitive personal/business data as search queries unless you are comfortable sharing them with the provider.
The skill may fail or prompt manual dependency installation in environments without requests installed.
The script depends on the third-party Python requests package, but the provided requirements only declare curl/python3 and package.json has no dependency list. This is a minor dependency-disclosure gap rather than evidence of unsafe install behavior.
import sys, json, requests, threading, time, os
Publisher should declare the Python dependency explicitly; users should install any missing dependency only from trusted package sources.