qianfan clawhub
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does what it claims, but its installer downloads and unpacks remote skill archives with weak safety checks and can send the Baidu API key to a user-specified endpoint.
Review this skill carefully before installing. It is a marketplace installer, so it can persistently add or overwrite agent skills. Use the default Baidu endpoint, set an explicit trusted workdir if needed, avoid --force unless you intend to overwrite an existing skill, and only install slugs you trust.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised skill archive could potentially write files outside the intended skill folder or install unsafe skill content that later affects agent behavior.
The installer writes files from a downloaded ZIP using archive-provided names without visible normalization, path traversal checks, allowlisting, or package integrity verification.
target_path = os.path.join(skill_dir, target_name) ... with zf.open(name) as src, open(target_path, 'wb') as dst: dst.write(src.read())
Only install skills from trusted sources, avoid using --force unless necessary, and the publisher should validate archive paths and verify package integrity before writing files.
If the agent or user supplies an untrusted endpoint, the Baidu API key could be disclosed to a non-Baidu server.
The script allows a custom API endpoint and sends the BAIDU_API_KEY bearer token in requests to that endpoint.
parser.add_argument('--endpoint', type=str, default=None, help='指定 API 服务器地址') ... headers = {'Authorization': f'Bearer {self.api_key}'}Use only the default Baidu endpoint unless you fully trust the alternative endpoint; the publisher should restrict or clearly warn about credential use with custom endpoints.
Users may believe installed skills are more strongly verified than the artifacts demonstrate.
The documentation claims verification, but the provided installer code only checks HTTP status and ZIP readability before extracting and writing files.
**Automated Management** - Integrated download, extraction, verification, and installation
Treat installs as unverified unless the publisher adds explicit signature, checksum, provenance, and safe-extraction checks.
A local service on that port can influence where skills are installed, which may surprise users because the README emphasizes the default ~/.qianfan workspace.
When no workdir is supplied, the script asks a local HTTP service for the workspace directory and uses that value as the install destination.
response = requests.get("http://localhost:4096/path", timeout=5) ... self.skills_dir = os.path.join(json_data['directory'], 'skills')Confirm the resolved install directory before installing, or pass an explicit trusted --workdir.