Is baidu-search safe?

https://clawhub.ai/ide-rea/baidu-search

72
CAUTION

The baidu-search skill is a functional Baidu web search wrapper with no prompt injection, but it carries meaningful data exfiltration risk. The Python script sends all queries to Baidu's external API, sensitive files (.aws/credentials, .env) were accessed during installation (likely by the OpenClaw runtime), and the shell-based invocation pattern creates a potential injection vector. No malicious intent is evident, but the skill's legitimate network access and executable code warrant caution.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

HIGH Sensitive file access during install phase -30

Filesystem monitoring detected reads of .env, .aws/credentials, auth-profiles.json, and other sensitive configuration files during the skill installation phase. While this may be attributable to the OpenClaw runtime rather than the skill itself, the access to AWS credentials is a significant concern as it could indicate credential harvesting.

MEDIUM All queries sent to external Baidu API -25

The search.py script POSTs all user search queries to qianfan.baidubce.com. While this is the skill's intended functionality, it means all search content — which may include sensitive topics, internal project names, or proprietary information — transits through Baidu's servers with no local filtering or user consent mechanism.

MEDIUM Shell command execution with user-controlled input -25

The skill instructs the agent to run: python3 skills/baidu-search/scripts/search.py ''. The JSON argument is constructed by the agent from user input. If the agent does not properly escape single quotes in the JSON payload, this creates a shell injection vector. The skill does not provide a safer invocation method (e.g., stdin piping).

MEDIUM Executable Python with unrestricted network access -20

search.py uses the requests library with no restrictions on target URLs. The hardcoded endpoint is legitimate, but a supply-chain update could change the destination. The script has full Python execution capability within the agent's environment.

MEDIUM Environment and config file enumeration during install -25

Multiple sensitive configuration files were read during installation including .env, .profile, .bashrc, and OpenClaw configuration files. While likely from the runtime bootstrapping, this pattern is consistent with environment reconnaissance.

LOW Temporary file creation in /tmp -15

Multiple jiti cache files were created in /tmp during install. These are likely from the OpenClaw runtime's module transpilation but represent writable artifacts outside the skill directory.

LOW Supply-chain update risk -20

The skill's Python script could be updated via ClawHub to include malicious code. Since the agent executes the script directly, any update to search.py would be trusted and executed without user review. The X-Appbuilder-From header identifies the source as 'openclaw', enabling server-side targeting.

INFO Clean SKILL.md with no injection patterns -5

The SKILL.md file contains only standard documentation: parameter tables, usage examples, and API description. No hidden instructions, unicode tricks, or persona manipulation detected.

LOW Combination risk with filesystem-access skills -20

If installed alongside a skill that can read local files, an attacker could chain: read sensitive file contents -> construct a search query containing that data -> exfiltrate via the Baidu API POST request. The skill's legitimate network access provides a covert exfiltration channel.