Quark
ReviewAudited by ClawScan on May 13, 2026.
Overview
This mostly looks like a legitimate Quark Drive management skill, but it includes broad backup guidance that could upload local agent configuration and cookies to cloud storage.
Install only if you are comfortable granting this skill access to your Quark Drive account. Use explicit file paths, review delete/share operations before running them, avoid broad uploads of hidden directories like ~/.hermes, and protect or clear the saved Quark cookie if it may have been backed up or exposed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, this example could copy private local agent data or credentials into Quark Drive.
The documentation shows a recursive upload of the hidden ~/.hermes agent directory with only limited skip patterns. That directory can contain local agent configuration, skill data, logs, and credentials, so this is broader than a normal selected-file upload.
python3 scripts/quark_cli.py batch-upload ~/.hermes --remote-dir /Hermes备份 --skip "cache,output,__pycache__" --max-size 20
Avoid uploading hidden home or agent directories by default. Add clear warnings, preview the file list, and exclude credential/config files before any batch upload.
Anyone or anything that can read that config file may be able to access the user's Quark Drive session.
The script saves the Quark session cookie to a persistent local config file. This is expected for a cloud-drive login flow, but the cookie grants account access.
CONFIG_DIR = Path.home() / ".hermes" / "skills" / "cloud-drive" / "quark" ... config["cookie"] = cookie
Protect the config file, do not include it in backups or shares, and clear or rotate the cookie if the file may have been exposed.
A mistaken command could delete cloud files or expose a file through a share link.
The skill intentionally supports deletion, clearing directories, and creating share links. These are coherent with a drive-management tool, but they are high-impact account mutations.
"删除文件" | `python3 scripts/quark_cli.py delete <路径>` ... "清空文件" | `python3 scripts/quark_cli.py clear [路径]` ... "分享文件" | `python3 scripts/quark_cli.py share <路径> --expire 7d --passcode 1234`
Use these commands only for explicit user requests, review the path and share settings, and prefer confirmations for delete, clear, and public/permanent shares.
Installing dependencies from an untrusted or compromised package source could affect the local environment.
The README instructs users to install an unpinned Python dependency manually. This is normal for a Python CLI, but it leaves package provenance and version selection to the user.
pip install httpx
Install httpx from a trusted package index or a pinned/managed environment.
If used, bot access tokens, chat IDs, or uploaded images may be handled outside the Quark Drive workflow.
The skill includes guidance for sending images through QQ Bot APIs, which introduces an additional provider token and chat/file-upload data flow beyond Quark Drive.
需直接调用 QQ Bot API:1) 获取 access_token;2) 上传图片到 `/v2/users/{chat_id}/files`(file_type=1, file_data=base64);3) 发送消息Use the QQ Bot path only when necessary, keep bot tokens scoped and protected, and ensure images are sent only to the intended chat.