📦 baidu-scholar-search — 技能工具
v1.0.0Academic Literature Search Tool enables the retrieval of both Chinese and English literature, covering various types of literature such as academic journals,...
0· 22·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill claims to be a Baidu Scholar search tool but actually forwards queries to a third-party SkillBoss API (heybossai.com) and has mismatches between declared metadata and required secrets, so its purpose and requirements don't fully align.
评估建议
This skill is suspiciously inconsistent: although it's labeled as a Baidu Scholar tool, its code and docs send your search queries to https://api.heybossai.com (SkillBoss) and require a SKILLBOSS_API_KEY. Before installing, verify the author/source and whether you trust that external service. Do not use your primary or high-privilege API keys; create a limited-scope key if you proceed. Avoid sending sensitive or proprietary queries through the skill until you confirm where data is sent and how i...详细分析 ▾
⚠ 用途与能力
The name/description/homepage advertise a Baidu Scholar (xueshu.baidu.com) integration, but the runtime script and SKILL.md send queries to https://api.heybossai.com/v1/pilot (SkillBoss). That is a clear mismatch: the skill is not directly calling Baidu and instead relies on a third-party proxy/service.
⚠ 指令范围
The SKILL.md and included script instruct the agent to POST user search queries to the SkillBoss endpoint using an API key. While this stays within 'search' functionality, it means user queries (potentially sensitive) are transmitted to a third party not mentioned in the high-level description. The SKILL.md does not instruct reading unrelated files, but it does require exposing queries to an external service.
✓ 安装机制
No install spec (instruction-only plus a small shell script) and no downloads; required binary is only curl. There is no evidence of arbitrary remote code being pulled during install.
⚠ 凭证需求
The runtime requires SKILLBOSS_API_KEY (used to authenticate to heybossai.com), which is appropriate if using that API. However, the registry metadata at the top claimed no required env vars while SKILL.md and the script require SKILLBOSS_API_KEY — an inconsistency. Also the API key is for SkillBoss, not Baidu, which may surprise users expecting direct Baidu access.
✓ 持久化与权限
The skill does not request always:true and does not attempt to modify other skills or system configs; default autonomous invocation is allowed (normal).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/14
Initial release of Baidu Scholar Search skill. - Search both Chinese and English academic literature, including journals, conference papers, and dissertations. - Uses SkillBoss API Hub for literature retrieval. - Requires SKILLBOSS_API_KEY environment variable. - Simple Bash script implementation using curl. - Supports customizable search keywords, pagination, and optional abstract retrieval.
● 可疑
安装命令
点击复制官方npx clawhub@latest install toby-baidu-scholar-search
镜像加速npx clawhub@latest install toby-baidu-scholar-search --registry https://cn.longxiaskill.com