中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:18 小时前 重新扫描
5 /100
baidu-test
Search the web using Baidu AI Search Engine (BDSE)
A legitimate Baidu web search tool that makes HTTP POST requests to Baidu's official API using an environment variable API key. No malicious behavior, obfuscation, or credential exfiltration detected.
技能名称baidu-test
分析耗时33.2s
引擎pi
可以安装
No blocking action required. Consider pinning the requests library version in a requirements.txt for improved supply chain hygiene.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned Python dependency 供应链
The 'requests' library is imported without a version constraint. While not inherently malicious, unpinned dependencies could introduce vulnerabilities if a new compromised version is released.
import requests
→ Add a requirements.txt file with pinned versions: requests>=2.28.0,<3.0.0
 scripts/search.py:3
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 scripts/search.py:19 - HTTP POST to qianfan.baidubce.com
环境变量 READ READ ✓ 一致 scripts/search.py:67 - os.getenv('BAIDU_API_KEY')
文件系统 NONE NONE No file operations in code
命令执行 NONE NONE No subprocess or shell execution found
1 项发现
🔗
中危 外部 URL 外部 URL
https://qianfan.baidubce.com/v2/ai_search/web_search
scripts/search.py:10

目录结构

2 文件 · 4.8 KB · 154 行
Python 1f · 102L Markdown 1f · 52L
├─ 📁 scripts
│ └─ 🐍 search.py Python 102L · 3.4 KB
└─ 📝 SKILL.md Markdown 52L · 1.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned

安全亮点

✓ API key read from environment variable, not hardcoded
✓ No credential exfiltration - key only used for Baidu API authentication
✓ No shell execution (subprocess, os.popen) detected
✓ No obfuscation (base64, eval) or anti-analysis patterns
✓ Clean, readable code that matches documentation
✓ Makes requests to a known, legitimate Baidu API endpoint
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No C2 communication or data exfiltration patterns