Is baidu-scholar-search-skill safe?

In baidu_scholar_search.sh, the $WD variable is interpolated directly into the curl URL without quoting: "...?wd=$WD&pageNum=$pageNum&enable_abstract=$enable_abstract". If the keyword contains shell metacharacters (spaces, semicolons, backticks, $(), etc.), the shell will expand or split them. While curl receives a single string argument in this context, the lack of URL-encoding means special characters could alter the request or cause unexpected behavior.

The BAIDU_API_KEY is sent as a Bearer token to qianfan.baidubce.com on every search request. If this environment variable is set in the agent's environment, it is continuously exposed to Baidu's servers. Additionally, any data passed as the search keyword is transmitted externally, creating a channel that a chained skill or prompt injection could exploit to exfiltrate arbitrary data.

The 'wd' (keyword) parameter is user-controlled and sent to an external server without validation. A malicious prompt injection or chained skill could instruct the agent to pass sensitive data (environment variables, file contents, credentials) as the 'search keyword', effectively exfiltrating it to Baidu's API servers.

The search keyword, page number, and abstract flag are concatenated directly into the URL without URL-encoding. Characters like &, =, #, ?, and spaces in the keyword could break or alter the HTTP request semantics.

The SKILL.md contains sections titled 'When to Return Abstract' and 'When NOT to Return Abstract' that pattern-match on user language to influence agent behavior. While benign in intent (optimizing API usage), this demonstrates how skills can shape agent decisions based on user phrasing, which is a mild form of behavioral steering.

All observed filesystem events in /tmp/jiti/ are CJS compilation artifacts from the jiti runtime used by the audit infrastructure. No skill-originated filesystem activity detected.