Terabox Link Extractor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The main TeraBox extraction flow is disclosed, but the optional download CLI has weak path handling that may write files outside the promised Downloads folder.
Review the optional download feature before using it. The link extraction behavior is mostly clear and consent-oriented, but avoid running the CLI download mode until the path handling is fixed, and only send TeraBox links you are comfortable sharing with XAPIverse.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the optional download mode is used, a crafted output path or unsafe filename returned by the provider could cause files to be written or overwritten outside the intended Downloads folder.
The --out boundary check uses a simple string prefix test, and the final destination appends the API-returned file.name without sanitizing path separators or rechecking that the resolved file path remains under Downloads.
const potentialPath = path.resolve(DOWNLOAD_ROOT, args[i + 1]); if (!potentialPath.startsWith(DOWNLOAD_ROOT)) ... const dest = path.join(outDir, file.name);
Resolve and validate the final destination path with path.relative, reject absolute paths and '..' segments, sanitize filenames to a basename, and verify the final write target is inside Downloads before creating the file.
The provider API key may grant access to the user's XAPIverse quota or account features.
The skill sends the configured TERABOX_API_KEY to the XAPIverse API as an authentication header, which is expected for this integration.
'xAPIverse-Key': key
Use a dedicated API key for this skill if possible, store it only in the intended OpenClaw configuration, and rotate it if it is exposed.
A private TeraBox share URL and the API key are shared with XAPIverse whenever extraction is approved.
The skill clearly discloses that user-provided TeraBox URLs and the API key are sent to an external provider, which is purpose-aligned but sensitive.
the full target URL and your API key (TERABOX_API_KEY) are transmitted to `https://xapiverse.com` for processing
Only approve extraction for links you are comfortable sending to XAPIverse, and avoid using the skill for highly sensitive private files.