Is baidu-baike-data safe?

https://clawhub.ai/ide-rea/baidu-baike-data

68
CAUTION

This skill is an empty shell — it contains no SKILL.md, no source code, and no functionality despite its name 'baidu-baike-data' implying Baidu encyclopedia data access. The only file is a .clawhub/lock.json referencing 'academic-research-hub'. While it poses no immediate technical threat (clean monitoring, intact canaries, no code execution), the deceptive naming and complete absence of content suggest either an abandoned placeholder or a name-squatting skill that could be updated with malicious content later.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (5)

MEDIUM Empty SKILL.md — no skill definition -30

The SKILL.md file is completely empty. This means the skill provides zero functionality to the agent. An empty skill definition is suspicious because: (1) it could be a placeholder designed to claim a skill name for later malicious updates, (2) the skill name 'baidu-baike-data' implies data retrieval functionality that does not exist, creating a false expectation, (3) users may trust the skill based on its name alone without realizing it contains nothing.

LOW No code to evaluate for exfiltration risks -15

With no source code, there are no current exfiltration vectors. However, the absence of code means there is nothing to audit — future updates could introduce exfiltration without the user re-auditing.

LOW No executable content present -20

The skill contains no executable code. The only file is a JSON lock manifest. While this means no current execution risk, it also means the skill is non-functional.

INFO Clean clone with no suspicious activity -5

The installation process showed no network connections, no process spawning, and no filesystem changes beyond the expected skill directory.

MEDIUM Deceptive naming — skill name implies functionality that does not exist -70

The skill is named 'baidu-baike-data' which strongly implies it provides Baidu Baike (Chinese encyclopedia) data retrieval capabilities. The lock.json references 'academic-research-hub'. In reality, the skill contains absolutely no functionality. This mismatch between name and content is a red flag for either: (1) an abandoned/broken skill squatting on a useful name, or (2) a placeholder that could be weaponized via future updates. Users searching for Baidu Baike integration would install this expecting functionality and get nothing.