baidu-web-search 安全扫描报告 — 低风险 | ClawSafe

15 /100

baidu-web-search

Baidu Web Search wrapper using Baidu AI Open Platform API

A straightforward Baidu web search wrapper with clean code, no shell execution, no credential exfiltration, and only network access to the declared Baidu API endpoint.

技能名称baidu-web-search

分析耗时40.5s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning dependency versions in requirements.txt to reduce supply chain risk.

安全发现 3 项

严重性	安全发现	位置
低危	Unpinned dependency versions 供应链 requirements.txt specifies requests>=2.28.0 and python-dotenv>=1.0.0 without upper bounds, allowing any future minor/major version to be installed. `requests>=2.28.0 python-dotenv>=1.0.0` → Pin exact versions: requests==2.32.3, python-dotenv==1.0.1	`requirements.txt:1`
提示	SKILL.md lacks tool/permission declarations 文档欺骗 SKILL.md does not declare which OpenClaw tools (Read, Bash, WebFetch) or resource permissions (filesystem:READ, network:READ) are used. This is a documentation gap rather than a security violation. `# 🔍 Baidu Web Search Skill` → Add an explicit ## Permissions section listing network:READ, filesystem:READ, environment:READ.	`SKILL.md:1`
提示	README.md contains example credential placeholder 文档欺骗 README.md:21 shows API_KEY="your_baidu_api_key" as a documentation example. This is not an actual secret, just a placeholder string. `API_KEY="your_baidu_api_key"` → No action needed—placeholder value, not a real credential.	`README.md:21`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	src/baidu_search.py:18 — reads .env from parent directory for config only
网络访问	`NONE`	`READ`	✓ 一致	src/baidu_search.py:32 — HTTP GET to Baidu API aip.baidubce.com
环境变量	`NONE`	`READ`	✓ 一致	src/baidu_search.py:19 — reads BAIDU_API_KEY from env
命令执行	`NONE`	`NONE`	—	No shell execution found
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access
技能调用	`NONE`	`NONE`	—	No recursive skill invocation

1 高危 10 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_baidu_api_key"

README.md:21

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.0.0-green.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:6

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README.md:6

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/python-3.10+-blue.svg

README.md:7

🔗

中危外部 URL 外部 URL

https://www.python.org/downloads/

README.md:7

🔗

中危外部 URL 外部 URL

https://ai.baidu.com/

README.md:24

🔗

中危外部 URL 外部 URL

https://ai.baidu.com/docs

SKILL.md:228

🔗

中危外部 URL 外部 URL

https://ai.baidu.com/ai-doc/SEARCH

SKILL.md:229

🔗

中危外部 URL 外部 URL

https://aip.baidubce.com/rest/2.0/search

src/baidu_search.py:32

目录结构

4 文件 · 9.9 KB · 486 行

Markdown 2f · 362L Python 1f · 122L Text 1f · 2L

├─ ▾ 📁 src

│ └─ 🐍 baidu_search.py Python 122L · 3.3 KB

├─ 📝 README.md Markdown 117L · 2.0 KB

├─ 📄 requirements.txt Text 2L · 38 B

└─ 📝 SKILL.md Markdown 245L · 4.5 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`requests`	`>=2.28.0`	pip	否	Version not pinned; no upper bound
`python-dotenv`	`>=1.0.0`	pip	否	Version not pinned; no upper bound

安全亮点

✓ No shell or subprocess execution—pure Python library usage

✓ No credential exfiltration—API key used only for Baidu API authentication

✓ No base64, obfuscation, or anti-analysis techniques

✓ No sensitive path access (~/.ssh, ~/.aws, .env with real secrets)

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No hidden HTML comments or prompt injection payloads

✓ Clean, readable, well-structured code with typed signatures