qianfan clawhub

The skill functions as a package manager for the Baidu Qianfan ecosystem, which inherently involves high-risk operations like downloading and executing remote code. A potential Zip Slip vulnerability exists in `scripts/qianfanclawhub.py` because the `install_skill` function does not sufficiently sanitize file paths within downloaded ZIP archives before extraction. Additionally, the script attempts to discover the local environment's directory structure by querying an undocumented local endpoint at `http://localhost:4096/path`.