baidu-web-search Security Report — Low Risk | ClawSafe

15 /100

baidu-web-search

Baidu Web Search wrapper using Baidu AI Open Platform API

A straightforward Baidu web search wrapper with clean code, no shell execution, no credential exfiltration, and only network access to the declared Baidu API endpoint.

Skill Namebaidu-web-search

Duration40.5s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning dependency versions in requirements.txt to reduce supply chain risk.

Findings 3 items

Severity	Finding	Location
Low	Unpinned dependency versions Supply Chain requirements.txt specifies requests>=2.28.0 and python-dotenv>=1.0.0 without upper bounds, allowing any future minor/major version to be installed. `requests>=2.28.0 python-dotenv>=1.0.0` → Pin exact versions: requests==2.32.3, python-dotenv==1.0.1	`requirements.txt:1`
Info	SKILL.md lacks tool/permission declarations Doc Mismatch SKILL.md does not declare which OpenClaw tools (Read, Bash, WebFetch) or resource permissions (filesystem:READ, network:READ) are used. This is a documentation gap rather than a security violation. `# 🔍 Baidu Web Search Skill` → Add an explicit ## Permissions section listing network:READ, filesystem:READ, environment:READ.	`SKILL.md:1`
Info	README.md contains example credential placeholder Doc Mismatch README.md:21 shows API_KEY="your_baidu_api_key" as a documentation example. This is not an actual secret, just a placeholder string. `API_KEY="your_baidu_api_key"` → No action needed—placeholder value, not a real credential.	`README.md:21`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	src/baidu_search.py:18 — reads .env from parent directory for config only
Network	`NONE`	`READ`	✓ Aligned	src/baidu_search.py:32 — HTTP GET to Baidu API aip.baidubce.com
Environment	`NONE`	`READ`	✓ Aligned	src/baidu_search.py:19 — reads BAIDU_API_KEY from env
Shell	`NONE`	`NONE`	—	No shell execution found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access
Skill Invoke	`NONE`	`NONE`	—	No recursive skill invocation

1 High 10 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_baidu_api_key"

README.md:21

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-green.svg

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:6

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/python-3.10+-blue.svg

README.md:7

🔗

Medium External URL 外部 URL

https://www.python.org/downloads/

README.md:7

🔗

Medium External URL 外部 URL

https://ai.baidu.com/

README.md:24

🔗

Medium External URL 外部 URL

https://ai.baidu.com/docs

SKILL.md:228

🔗

Medium External URL 外部 URL

https://ai.baidu.com/ai-doc/SEARCH

SKILL.md:229

🔗

Medium External URL 外部 URL

https://aip.baidubce.com/rest/2.0/search

src/baidu_search.py:32

File Tree

4 files · 9.9 KB · 486 lines

Markdown 2f · 362L Python 1f · 122L Text 1f · 2L

├─ ▾ 📁 src

│ └─ 🐍 baidu_search.py Python 122L · 3.3 KB

├─ 📝 README.md Markdown 117L · 2.0 KB

├─ 📄 requirements.txt Text 2L · 38 B

└─ 📝 SKILL.md Markdown 245L · 4.5 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.28.0`	pip	No	Version not pinned; no upper bound
`python-dotenv`	`>=1.0.0`	pip	No	Version not pinned; no upper bound

Security Positives

✓ No shell or subprocess execution—pure Python library usage

✓ No credential exfiltration—API key used only for Baidu API authentication

✓ No base64, obfuscation, or anti-analysis techniques

✓ No sensitive path access (~/.ssh, ~/.aws, .env with real secrets)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No hidden HTML comments or prompt injection payloads

✓ Clean, readable, well-structured code with typed signatures

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives