Is deepresearch-conversation safe?
https://clawhub.ai/ide-rea/deepresearch-conversation
This skill is a Baidu Deep Research API wrapper that transmits user queries and local files to qianfan.baidubce.com. The primary risks are: (1) the file upload capability creates a direct path for local files to be exfiltrated to Baidu's cloud, (2) installation monitoring detected access to sensitive credential files (.aws/credentials, .env) beyond what the skill requires, and (3) the SSE streaming response pattern creates a second-order prompt injection vector where Baidu's API could return adversarial content the agent would process as trusted instructions.
Category Scores
Findings (10)
CRITICAL Arbitrary local file upload to Baidu cloud -40 ▶
The FileUpload API instructs the agent to upload local files using curl -F 'file=@local_file_path' to qianfan.baidubce.com. This creates a direct path for any local file to be transmitted to Baidu's servers. The agent is instructed to use this as part of the normal workflow when users want to discuss files.
HIGH Credential file access during installation -22 ▶
Filesystem monitoring detected reads of ~/.aws/credentials, ~/.env, ~/.openclaw/openclaw.json, and auth-profiles.json during the skill installation process. While some config reads may be expected (openclaw.json for API key), accessing AWS credentials and .env is not justified by this skill's stated functionality.
HIGH All user data transmitted to third-party Chinese cloud service -15 ▶
Every API call sends user queries, conversation context, and uploaded files to qianfan.baidubce.com (Baidu Cloud). Users may not realize their research queries and documents are being processed by Baidu's infrastructure, which is subject to Chinese data governance laws.
MEDIUM Python script executes with user-controlled JSON input -15 ▶
The deepresearch_conversation.py script takes a JSON string from sys.argv[1] and passes it directly to the requests library as the POST body. While the script itself doesn't have command injection vulnerabilities, it creates an outbound HTTPS connection with user-controlled payload.
MEDIUM Python script reads OpenClaw config to extract API keys -10 ▶
The script traverses the OpenClaw configuration file at ~/.openclaw/openclaw.json to extract BAIDU_API_KEY. This accesses a centralized config that may contain keys for other skills, expanding the attack surface if the script were modified.
MEDIUM SSE response stream could carry prompt injection -30 ▶
The skill instructs the agent to parse SSE responses and follow directives like interrupt_id and structured_outline. If the Baidu API returns adversarial content in these fields, the agent would process it as trusted instructions. This creates a second-order prompt injection vector via the API.
MEDIUM Excessive config and profile file reads during install -15 ▶
The installation process read ~/.profile and ~/.bashrc 6+ times each, and accessed ~/.openclaw/openclaw.json 6+ times. While likely framework behavior, the repeated reads of shell profiles during skill installation is unusual.
MEDIUM Iterative conversation loop with external API -15 ▶
The skill instructs the agent to 'keep calling DeepresearchConversation iteratively until the user is satisfied.' This creates an open-ended loop where the agent continuously processes content from Baidu's API, increasing the window for adversarial content injection.
LOW Temp file creation during install -5 ▶
Multiple .cjs files were created in /tmp/jiti/ during installation. These appear to be OpenClaw framework transpilation cache files, not skill-specific behavior.
INFO No hidden content or obfuscation detected 0 ▶
SKILL.md contains no invisible unicode characters, HTML comments, base64 encoded payloads, or other obfuscation techniques. The instructions are straightforward API wrapper documentation.