baidu-scholar-search-skill Security Report — Trusted | ClawSafe

5 /100

baidu-scholar-search-skill

Baidu Scholar Search - Search Chinese and English academic literature

A straightforward Baidu Scholar API wrapper that makes legitimate HTTP GET requests with no hidden functionality or suspicious behavior.

Skill Namebaidu-scholar-search-skill

Duration27.0s

Enginepi

✓

Safe to install

No action needed. This is a simple, transparent academic search tool.

Findings 2 items

Severity	Finding	Location
Low	Reads BAIDU_API_KEY from environment Sensitive Access The script reads the BAIDU_API_KEY environment variable for API authentication. This is declared in SKILL.md and _meta.json as a required credential. The key is only used for authentication to Baidu's API and is not exfiltrated. `if [ -z "$BAIDU_API_KEY" ]; then` → This is expected and declared behavior. No action needed.	`baidu_scholar_search.sh:14`
Low	Shell execution via bash RCE The skill executes a bash script (baidu_scholar_search.sh). This is declared in _meta.json under 'requires.bins' and in SKILL.md usage examples. `#!/bin/bash` → This is expected and declared behavior. No action needed.	`baidu_scholar_search.sh:1`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	bash baidu_scholar_search.sh execution
Network	`READ`	`READ`	✓ Aligned	curl to qianfan.baidubce.com API
Environment	`READ`	`READ`	✓ Aligned	Reads BAIDU_API_KEY from environment

3 findings

🔗

Medium External URL 外部 URL

https://xueshu.baidu.com/

SKILL.md:4

🔗

Medium External URL 外部 URL

https://qianfan.baidubce.com/v2/tools/baidu_scholar/search

SKILL.md:45

🔗

Medium External URL 外部 URL

https://qianfan.baidubce.com/v2/tools/baidu_scholar/search?wd=$WD&pageNum=$pageNum&enable_abstract=$enable_abstract

baidu_scholar_search.sh:32

3 files · 3.7 KB · 121 lines

Markdown 1f · 84L Shell 1f · 32L JSON 1f · 5L

├─ 📋 _meta.json JSON 5L · 145 B

├─ 🔧 baidu_scholar_search.sh Shell 32L · 874 B

└─ 📝 SKILL.md Markdown 84L · 2.7 KB

✓ Clear, concise documentation with no contradictions

✓ All required permissions declared in _meta.json (bash, BAIDU_API_KEY)

✓ Uses standard HTTP GET with Bearer token authentication

✓ No base64 encoding or obfuscation

✓ No credential exfiltration or data theft

✓ No network connections to unexpected hosts

✓ Simple, single-purpose script with transparent logic