百度网盘官方 skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a Baidu Drive file-management and agent-memory backup tool with sensitive but disclosed cloud and local file actions.

Install only if you want an agent to manage files in your Baidu Drive app folder and back up or restore agent memory there. Review paths before uploads/downloads, be careful with share links and permanent links, avoid authorizing on shared machines, and inspect memory backups before restoring because they can replace local agent instruction and memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill exposes shell execution capability through `allowed-tools: Bash` and includes extensive command execution flows, but there is no explicit permission declaration boundary beyond tool allowance. This increases the chance that a broadly triggered skill can perform impactful local and remote actions without clear user-facing consent semantics, especially because it can install, update, log in, and manipulate files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared description frames the skill as file management and memory backup/restore, but the body also authorizes software installation, login flows, uninstallation, and self-update via downloaded remote content. That mismatch can mislead users and orchestration layers into invoking a skill with far more powerful behavior than advertised, creating supply-chain and credential-handling risk.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The authentication flow explicitly instructs execution of a generic bash script, which introduces shell execution capability beyond the skill's stated Baidu Drive file-management purpose. In an agent setting, wrapping auth in bash increases attack surface because any later change to the script can perform unintended local actions under the guise of login.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill supports backup and restore of agent memory files such as `AGENTS.md`, `SOUL.md`, `MEMORY.md`, and `memory/*.md`, which are likely to contain highly sensitive prompts, history, identities, and secrets. Although it describes the mechanics, it does not provide a strong user-facing warning or consent step specifically about uploading sensitive agent state to a third-party cloud service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples normalize uploading, sharing, and transfer of files and links without warning that these actions may expose sensitive data or create public/semi-public access URLs. In a cloud-storage skill, omission of disclosure and confirmation guidance materially raises the chance of accidental data leakage.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The download and file-management examples show writing local files and modifying remote files without warning about overwrite, relocation, or destructive consequences. In a file-management skill, these are state-changing operations, so failing to call out confirmation and path safety can lead to accidental loss or corruption of user data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The automated backup script creates archives in /tmp and deletes them afterward without warning about local disk usage, sensitive temporary-file exposure, or cleanup side effects. Because it combines packaging, upload, and deletion in one unattended flow, users may overlook that local files are being created and removed as part of the process.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The restore flow copies downloaded backup files directly over local memory/workspace files without an explicit confirmation step, which can cause unintended loss or corruption of the agent's current state. Although a local safety backup is created first, users may still unknowingly overwrite important data, and a malicious or incorrect remote backup could replace trusted local instructions or memory content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal