CloudPlus
ReviewAudited by ClawScan on May 10, 2026.
Overview
CloudPlus is a coherent enterprise-chat automation skill, but it needs review because it installs an unpinned global npm tool and can send messages/files and read chat data through the user's CloudPlus session.
Install only if you trust the cloudplus-mcp-server npm package and are comfortable letting the agent operate your CloudPlus desktop account. Before use, verify the active CloudPlus account and require confirmation before sending any message, file, or link.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill may cause the agent to fetch and run unreviewed third-party npm code that will then be used for CloudPlus account actions.
The skill instructs the agent to install a global npm package at runtime, but the reviewed artifacts include no package code, lockfile, pinned version, homepage, or install spec for that dependency.
如果命令不存在,执行安装: ```bash npm install -g cloudplus-mcp-server ```
Verify the npm package, publisher, and version before installation; prefer a pinned, reviewed install path and require user approval before installing global packages.
A mistaken or over-broad instruction could send the wrong message or file to a person or group in CloudPlus.
The skill can send messages and files in an enterprise communications app, and the workflow says to execute the corresponding command without clearly requiring final user confirmation of the recipient, content, or file.
mcp-cloudplus send-text --to <用户名或群名> --message <内容> ... mcp-cloudplus send-file --to <用户名或群名> --file <文件路径> ... 1. 检查 `mcp-cloudplus` 是否安装,未安装则安装 2. 执行对应命令
Require explicit confirmation before sending messages/files or opening URLs, including the exact recipient, content, file path, and destination.
The skill may act as whichever CloudPlus account is logged in on the desktop client, including searching data and sending communications as that user.
The error handling indicates the tool depends on the local CloudPlus desktop client, so operations likely run with the currently signed-in user's CloudPlus privileges.
`找不到管道路径文件` → 提示用户确认云加桌面客户端是否已启动
Confirm the active CloudPlus account before use and limit use to tasks the user explicitly authorizes.
Private CloudPlus conversations or files could be surfaced to the agent and summarized back to the user.
The skill can retrieve private enterprise chat messages, chat history, files, and collected content. The artifacts do not show persistence, but the retrieved content may be sensitive and becomes agent context.
mcp-cloudplus search-message <关键词> ... mcp-cloudplus get-chat-history --username <用户名或群名> --start <YYYY-MM-DD> [--end <YYYY-MM-DD>] ... mcp-cloudplus get-collect-content
Use narrow search terms/date ranges, avoid retrieving unnecessary private conversations, and do not treat chat contents as trusted instructions.