Baidu Intelligent Search - 百度智能搜索生成安全扫描报告 — 可信 | ClawSafe

5 /100

Baidu Intelligent Search - 百度智能搜索生成

联网搜索 + 大模型总结的智能搜索生成技能，基于百度千帆平台 API

BaiduAI is a straightforward intelligent web search skill that calls Baidu's Qianfan API with a user-provided API key. No malicious behavior, hidden functionality, credential exfiltration, or suspicious network activity detected.

技能名称Baidu Intelligent Search - 百度智能搜索生成

分析耗时23.1s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

安全发现 1 项

严重性	安全发现	位置
低危	Example API key placeholder in documentation SKILL.md:34 contains `API_KEY="your_appbuilder_api_key_here"` as a documented example. This is a placeholder string with no security impact, but best practice would be to clarify in comments that this is an example value only. `export BAIDU_API_KEY="your_appbuilder_api_key_here"` → Add a comment noting this is an example/placeholder value, e.g., '# REPLACE WITH YOUR ACTUAL KEY'	`SKILL.md:34`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	baiduai.py:116 — POST to https://qianfan.baidubce.com/v2/ai_search/chat/completi…
环境变量	`READ`	`READ`	✓ 一致	baiduai.py:188 — reads BAIDU_API_KEY from os.getenv() for API authentication onl…
文件系统	`NONE`	`NONE`	—	No filesystem access in baiduai.py
命令执行	`NONE`	`NONE`	—	No subprocess/shell invocation in baiduai.py

1 高危 7 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_appbuilder_api_key_here"

SKILL.md:34

🔗

中危外部 URL 外部 URL

https://cloud.baidu.com/doc/qianfan-api/s/Hmbu8m06u

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://qianfan.baidubce.com/v2/ai_search/chat/completions

SKILL.md:10

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com/

SKILL.md:15

🔗

中危外部 URL 外部 URL

https://www.jisuapi.com

SKILL.md:28

🔗

中危外部 URL 外部 URL

https://www.jisuepc.com

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://baijiahao.baidu.com/...

SKILL.md:176

目录结构

2 文件 · 16.3 KB · 438 行

Markdown 1f · 221L Python 1f · 217L

├─ 🐍 baiduai.py Python 217L · 7.1 KB

└─ 📝 SKILL.md Markdown 221L · 9.2 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`unpinned`	pip	否	Version not pinned; requests itself is a standard library wrapper with no inherent security risk in this context

安全亮点

✓ All network requests go to Baidu's official Qianfan API endpoint (qianfan.baidubce.com)

✓ No subprocess or shell execution of any kind

✓ No filesystem write operations

✓ No credential exfiltration — API key is used only for Baidu API authentication

✓ No iteration over os.environ for credential harvesting

✓ No base64, eval, or other code execution tricks

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)

✓ No hidden HTML comments or obfuscated instructions

✓ No remote script execution (curl|bash, wget|sh, etc.)

✓ Clean, straightforward Python with typed hints and error handling

✓ API key read exclusively from environment variable (BAIDU_API_KEY), not from user input or files