Back to skill
Skillv1.0.0
ClawScan security
Baidu Baike Data 1.1.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 1:00 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable line up with its stated purpose (querying Baidu Baike), but note a couple of provenance and dependency details to verify before use.
- Guidance
- This package is internally consistent for querying Baidu Baike, but before installing: 1) verify the publisher/owner because _meta.json ownerId differs from the registry ownerId in the metadata; 2) ensure your environment has python3 and the Python 'requests' package available; 3) provide a BAIDU_API_KEY that has only the necessary scope and rotate it if you expose it during testing; 4) review and confirm you trust network calls to https://appbuilder.baidu.com (the script calls that host); 5) run the script in a sandbox or isolated environment if you are unsure about provenance. If you need higher assurance about the source, ask the publisher for a signed release or an official repository link.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script queries Baidu Baike endpoints and returns structured entries. The declared primaryEnv (BAIDU_API_KEY) and required binary (python3) are appropriate for this functionality.
- Instruction Scope
- noteSKILL.md and README describe only searching/listing/getting Baike entries and instruct exporting BAIDU_API_KEY and running the script. The runtime script only reads BAIDU_API_KEY and performs HTTP calls to appbuilder.baidu.com. Minor provenance issue: registry metadata ownerId differs from _meta.json ownerId in the package files — this is a non-security functional mismatch worth verifying with the publisher.
- Install Mechanism
- noteNo install spec (instruction-only) so nothing is automatically downloaded or installed. The Python script imports 'requests' but the skill does not declare this dependency; you should ensure the runtime has the 'requests' package available (pip install requests) before running.
- Credentials
- okOnly BAIDU_API_KEY is required and it is used as the API bearer token by the script. No other credentials, config paths, or unrelated environment variables are requested or accessed.
- Persistence & Privilege
- okThe skill does not request persistent platform privileges (always=false) and does not modify system or other skill configs. It only runs on demand and prints JSON results.