ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qianfan clawhub

Search and install Baidu Qianfan ecosystem skills (supports prefix-matching search)

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 22 · 0 current installs · 0 all-time installs
bybaidu_qianfan@baiduQianfanGroup
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description, SKILL.md and the included script align: the tool performs prefix search and anonymous download from a Baidu BOS (S3-compatible) bucket and installs files to a workspace. Required binary (python3) and boto3 dependency are expected. Minor mismatch: requirements.txt pins 'requests' though the script does not use it.
!
Instruction Scope
SKILL.md instructs the agent/user to run the included script to search and install skills; the script will list and download arbitrary objects from the public bucket and write them to the chosen workdir (default ~/.qianfanclawhub/... ). The instructions do not mention validating content, checksums, or scanning for unsafe filenames. The agent/user could therefore receive and store arbitrary data.
Install Mechanism
There is no install spec (instruction-only style plus included script). Dependencies are typical (boto3). The runtime downloads objects directly from a public BOS endpoint at install time — this is expected given the stated purpose, but runtime network fetch of arbitrary files increases risk compared to a reviewed release artifact.
Credentials
The skill declares no required environment variables or credentials and the script is written to use unsigned (anonymous) access to the BOS endpoint. It does not read other environment variables. Note: boto3 is present but the code sets signature_version=UNSIGNED; it does not require AWS credentials to operate.
!
Persistence & Privilege
always:false (normal). However the script writes files to disk and allows a custom workdir (including shared paths). The download/write logic uses object keys directly when constructing dest paths without sanitization or normalization, which creates a path-traversal / directory-escape risk (keys containing '../' or absolute-like segments could cause files to be written outside the intended workspace and potentially overwrite important files).
What to consider before installing
This tool does what it says (anonymous search + download from a public Baidu BOS bucket) but treats remote object keys and contents as trusted. Before installing or running it: (1) run it with --workdir pointed at an isolated directory (temporary folder or container), not a shared project or your home; (2) inspect downloaded files before executing them (do not auto-run anything the skill downloads); (3) be cautious if you must use a shared path — attackers could craft object keys that include '../' to write outside the workspace and overwrite files; (4) consider running the script inside a sandbox/container with limited filesystem and network privileges; (5) if you plan to rely on installed skills, prefer audited packages or verify checksums/signatures from a trusted source. If the author can be reached, ask them to (a) sanitize/normalize object keys before writing, (b) add checksum/signature verification, and (c) document safety guarantees for installation destinations.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979zyk0sz31639vbhjx1z402d830wc1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍︎ Clawdis
Binspython3

SKILL.md

Qianfan Skills Marketplace

A dedicated search and installation tool for Baidu Qianfan ecosystem skills. Provides secure skill discovery and management through anonymous access to Baidu Cloud BOS storage.

✨ Core Capabilities

  1. Prefix-matching Search - Fuzzy search based on skill slug prefixes
  2. Precise Installation - Install skills using complete slug names
  3. Flexible Workspace - Customize installation directory via --workdir parameter
  4. Automated Management - Integrated download, extraction, verification, and installation

📋 Usage Examples

🔍 Search Skills

# Basic search (returns 20 results by default)
python3 scripts/qianfanclawhub.py search "ai"

# Limit results
python3 scripts/qianfanclawhub.py search "ppt" --limit 10

# Search with custom workspace
python3 scripts/qianfanclawhub.py search "baidu" --workdir "/custom/path"

⬇️ Install Skills

# Install to default location (~/.qianfan/workspace/skills/)
python3 scripts/qianfanclawhub.py install "baidu-search"

# Force overwrite existing skill
python3 scripts/qianfanclawhub.py install "ai-ppt-generate" --force

# Install to custom directory
python3 scripts/qianfanclawhub.py install "skill-name" --workdir "/shared/skills"

# Install with custom directory and force overwrite
python3 scripts/qianfanclawhub.py install "skill-name" --workdir "./project/.skills" --force

⚠️ Key Points

  • Search: Prefix-matching only (e.g., "ai-" finds "ai-ppt", "ai-agent")
  • Installation: Requires exact skill slug name
  • Security: Anonymous access, no API keys needed
  • Work Directory: Use --workdir to install/search in custom location

🎯 Quick Start

  1. Search: python3 scripts/qianfanclawhub.py search "keyword"
  2. Copy exact slug name from results
  3. Install: python3 scripts/qianfanclawhub.py install "slug-name"
  4. Use --workdir for custom installation location

🔗 Related Skills

This skill works best with the baidu-search skill, enabling quick access to Baidu ecosystem skills and optimizing the development experience in Chinese environments.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…