ClawHub

Baidudisk Mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Baidu Netdisk integration, but it gives broad cloud-drive and token-backed file-management authority that deserves manual review before installation.

Install only if you are comfortable giving an MCP tool access to your Baidu Netdisk account. Use a dedicated or least-privileged token/account if possible, protect ~/.openclaw/credentials/baidudisk.json, inspect the workspace registration helper before running setup, and require manual approval for uploads, moves, renames, batch operations, or deletes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities to read credentials from an environment/file path, modify local configuration, and make networked requests to Baidu Netdisk, but no explicit permission declaration is present. This creates a real security gap because users and policy engines cannot accurately assess or constrain the skill's access to secrets, filesystem state, and external services before enabling it.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill can retrieve arbitrary public HTTP(S) content and upload it into the user's Baidu Netdisk account, which materially expands capability beyond simple Netdisk CRUD operations. Although the code includes meaningful SSRF mitigations against localhost/private/reserved IPs, it still enables an agent or prompt-influenced workflow to import untrusted remote content into user storage, potentially facilitating unwanted data ingress, policy bypass, or abuse as a downloader/re-hosting bridge.

Missing User Warnings

High
Confidence
84% confidence
Finding
Batch move can relocate large volumes of user data in one call without any explicit confirmation barrier, making mistakes or prompt-injected misuse much more damaging than a single-file move. The default destination-prefix restriction helps constrain where content can be moved, but it does not prevent broad unauthorized reorganization or effective data disruption within the allowed tree.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
Batch rename enables large-scale modification of user data naming without a confirmation mechanism, which can cause widespread disruption, confusion, or operational damage if triggered incorrectly or via prompt manipulation. While it does not delete content, bulk renaming can still effectively impair user access and workflows at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The client is configured to place the OAuth access_token in the URL query string for multiple upload-related endpoints. Query parameters are commonly exposed in logs, proxies, browser/history tooling, and error telemetry, so token disclosure can occur even when HTTPS is used; a leaked token could let an attacker access or manipulate the user's Baidu Netdisk data within the token's scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This endpoint sends the OAuth access token as a URL query parameter, which is commonly logged by client libraries, reverse proxies, browser history, observability tools, and upstream servers. Even over HTTPS, placing bearer credentials in the URL increases accidental secret exposure and can enable account access if logs or traces are later disclosed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The second endpoint repeats the same pattern by embedding the access token in the query string for a GET request. This makes credential leakage more likely through URL logging, tracing systems, intermediary infrastructure, and diagnostic output, which is especially relevant in an MCP/server integration handling hot-reloaded credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client performs arbitrary HTTP requests and logs full response bodies at debug level (`logger.debug("response body: %s", r.data)`). In an MCP skill that handles cloud storage operations and token-based authentication, response bodies may contain file metadata, download links, user data, or error payloads with sensitive details, creating an information disclosure risk if logs are collected or exposed.

Unbounded Resource Access

Medium
Category
Excessive Agency
Content
def request(self, method, url, query_params=None, headers=None,
                body=None, post_params=None, _preload_content=True,
                _request_timeout=None):
        """Perform requests.

        :param method: http request method
Confidence
95% confidence
Finding
timeout=None

Unbounded Resource Access

Medium
Category
Excessive Agency
Content
post_params = post_params or {}
        headers = headers or {}

        timeout = None
        if _request_timeout:
            if isinstance(_request_timeout, (int, float)):  # noqa: E501,F821
                timeout = urllib3.Timeout(total=_request_timeout)
Confidence
97% confidence
Finding
timeout = None

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal