← 返回 Skills 市场

Baidu Search Node

Name: Baidu Search Node
Author: wsh66660

作者 wangsihong · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

932

总下载

当前安装

版本数

在 OpenClaw 中安装

/install baidu-search-node

功能描述

通过 Node.js 脚本调用百度搜索 API，可按关键字和数量参数获取排序、标题、摘要和链接的搜索结果。

使用说明 (SKILL.md)

Baidu Search Skill

百度搜索命令行工具，通过 Node.js 脚本爬取百度搜索结果（无需 API key）。

激活条件

当用户提到：

百度搜索
用百度搜一下
baidu search
使用 baidu_search 工具

工具实现

使用 baidusearch.js 脚本，位于 /Users/mac/.openclaw/workspace/skills/baidu-search/baidusearch.js

使用方式

# 基本搜索
node baidusearch.js "搜索内容"

# 指定结果数量
node baidusearch.js "搜索内容" -n 10

# 调试模式
node baidusearch.js "搜索内容" -n 5 -d 1

参数说明

参数	类型	必需	默认值	说明
`[keyword]`	string	是	-	搜索关键字
`-n, --num`	number	否	10	返回结果数量
`-d, --debug`	number	否	0	调试模式（0-关闭，1-打开）

返回格式

每条搜索结果包含：

rank - 排名
title - 标题
abstract - 摘要/描述
url - 链接

与百度官方 API 技能对比

功能	baidu-search-node (本技能)	baidu-search (官方 API)
API Key	❌ 不需要	✅ 需要 BAIDU_API_KEY
资源类型过滤	❌ 仅网页	✅ web/video/image/aladdin
时间过滤	❌ 不支持	✅ week/month/semiyear/year
网站过滤	❌ 不支持	✅ 匹配/屏蔽网站
安全搜索	❌ 不支持	✅ 支持
实现方式	网页爬虫	百度千帆 API

配置

在 openclaw.json 中添加：

{
  tools: {
    baiduSearch: {
      enabled: true,
      scriptPath: "/Users/mac/.openclaw/workspace/skills/baidu-search/baidusearch.js",
      defaultCount: 5,
      timeout: 30000,
    },
  },
}

使用方法

// 执行百度搜索
const { execSync } = require('child_process');

function baiduSearch(query, count = 5) {
  const scriptPath = '/Users/mac/.openclaw/workspace/skills/baidu-search/baidusearch.js';
  const cmd = `node "${scriptPath}" "${query}" -n ${count}`;
  const output = execSync(cmd, { encoding: 'utf-8' });
  return parseOutput(output);
}

依赖安装

# 进入 skill 目录
cd /Users/mac/.openclaw/workspace/skills/baidu-search

# 安装依赖
npm install axios cheerio commander

注意事项

需要 Node.js 环境
依赖 axios、cheerio、commander 包
搜索结果来自百度网页，可能包含广告
建议设置合理的 timeout 避免请求超时
无需 API key，开箱即用

安全使用建议

This skill is a web-scraper that fetches HTML from baidu.com and parses results — it is not an official Baidu API client despite the description. Before installing: (1) accept that scraped HTML is brittle and may break or return unexpected content (and could include ads); (2) review the full baidusearch.js to ensure there are no hidden remote endpoints or unexpected behaviors (current code shows only requests to baidu.com); (3) be aware the SKILL.md uses a hard-coded /Users/mac path — update to a correct path for your environment to avoid executing unknown local files; (4) the package-lock references cnpm mirrors — if your environment requires packages from the official npm registry, re-install dependencies from registry.npmjs.org or inspect the packages; (5) run the skill in a sandbox or non-production environment first if you have concerns about scraping TOS or outbound network activity. If you expected an official Baidu API client (with API-key features or filters), do not rely on this skill.

功能分析

Type: OpenClaw Skill Name: baidu-search-node Version: 1.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability identified in the `SKILL.md` file. The `baiduSearch` function, intended to be executed by the OpenClaw agent, constructs a shell command using `execSync` where the `query` parameter is directly interpolated without proper shell escaping. This allows an attacker to inject arbitrary shell commands (e.g., `foo"$(rm -rf /)"`) leading to Remote Code Execution (RCE) on the host system. While the `baidusearch.js` script itself correctly `encodeURIComponent` for URL parameters, this sanitization occurs too late, after the shell command has already been formed and executed.

能力评估

⚠ Purpose & Capability

The skill description/summary suggests calling a Baidu search API, but the SKILL.md and baidusearch.js clearly implement web scraping of baidu.com (no API key required). This is a semantic mismatch: consumers expecting an official API client (stable query params, time/quality filters) will instead get an HTML scraper with brittle parsing. The SKILL.md explicitly contrasts this tool with an "official API" and admits it is a crawler.

ℹ Instruction Scope

Runtime instructions tell the agent to run a local Node script via node/child_process.execSync and to install axios/cheerio/commander. The SKILL.md points to a hard-coded absolute path (/Users/mac/.openclaw/workspace/skills/...), which may not match other user environments and could cause the agent to execute unexpected local files if paths are different. Aside from calling the local script and performing outbound HTTP requests to baidu.com, the instructions do not ask the agent to read unrelated files or credentials.

✓ Install Mechanism

There is no automated install spec (instruction-only plus included code). Dependencies are standard Node packages (axios, cheerio, commander). The package-lock shows packages resolved from Chinese npm mirrors (r.cnpmjs.org / r2.cnpmjs.org) rather than the official registry; this is notable but consistent with typical mirrors and not inherently malicious.

✓ Credentials

The skill requests no environment variables, no credentials, and no config paths. That is proportionate to a web-scraping/search helper. No secrets-exfiltration indicators are declared in the SKILL.md or package files.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request permanent presence or claim to modify other skills. The SKILL.md shows the agent invoking a local script (normal for this skill type).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install baidu-search-node
安装完成后，直接呼叫该 Skill 的名称或使用 /baidu-search-node 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Added comparison table with official baidu-search API skill, improved docs

v1.0.0

Initial release - Baidu web search via Node.js script with axios/cheerio

元数据

Slug baidu-search-node

版本 1.1.0

许可证 —

累计安装 5

当前安装数 5

历史版本数 2

常见问题