Baidu Intelligent Search - 百度智能搜索生成 Security Report — Trusted | ClawSafe

5 /100

Baidu Intelligent Search - 百度智能搜索生成

联网搜索 + 大模型总结的智能搜索生成技能，基于百度千帆平台 API

BaiduAI is a straightforward intelligent web search skill that calls Baidu's Qianfan API with a user-provided API key. No malicious behavior, hidden functionality, credential exfiltration, or suspicious network activity detected.

Skill NameBaidu Intelligent Search - 百度智能搜索生成

Duration23.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 1 items

Severity	Finding	Location
Low	Example API key placeholder in documentation SKILL.md:34 contains `API_KEY="your_appbuilder_api_key_here"` as a documented example. This is a placeholder string with no security impact, but best practice would be to clarify in comments that this is an example value only. `export BAIDU_API_KEY="your_appbuilder_api_key_here"` → Add a comment noting this is an example/placeholder value, e.g., '# REPLACE WITH YOUR ACTUAL KEY'	`SKILL.md:34`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	baiduai.py:116 — POST to https://qianfan.baidubce.com/v2/ai_search/chat/completi…
Environment	`READ`	`READ`	✓ Aligned	baiduai.py:188 — reads BAIDU_API_KEY from os.getenv() for API authentication onl…
Filesystem	`NONE`	`NONE`	—	No filesystem access in baiduai.py
Shell	`NONE`	`NONE`	—	No subprocess/shell invocation in baiduai.py

1 High 7 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_appbuilder_api_key_here"

SKILL.md:34

🔗

Medium External URL 外部 URL

https://cloud.baidu.com/doc/qianfan-api/s/Hmbu8m06u

SKILL.md:9

🔗

Medium External URL 外部 URL

https://qianfan.baidubce.com/v2/ai_search/chat/completions

SKILL.md:10

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:15

🔗

Medium External URL 外部 URL

https://www.jisuapi.com

SKILL.md:28

🔗

Medium External URL 外部 URL

https://www.jisuepc.com

SKILL.md:29

🔗

Medium External URL 外部 URL

https://baijiahao.baidu.com/...

SKILL.md:176

File Tree

2 files · 16.3 KB · 438 lines

Markdown 1f · 221L Python 1f · 217L

├─ 🐍 baiduai.py Python 217L · 7.1 KB

└─ 📝 SKILL.md Markdown 221L · 9.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip	No	Version not pinned; requests itself is a standard library wrapper with no inherent security risk in this context

Security Positives

✓ All network requests go to Baidu's official Qianfan API endpoint (qianfan.baidubce.com)

✓ No subprocess or shell execution of any kind

✓ No filesystem write operations

✓ No credential exfiltration — API key is used only for Baidu API authentication

✓ No iteration over os.environ for credential harvesting

✓ No base64, eval, or other code execution tricks

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden HTML comments or obfuscated instructions

✓ No remote script execution (curl|bash, wget|sh, etc.)

✓ Clean, straightforward Python with typed hints and error handling

✓ API key read exclusively from environment variable (BAIDU_API_KEY), not from user input or files

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives