Skillv1.0.6

ClawScan security

360-ai-cloud-disk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 24, 2026, 10:34 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (360 AI 云盘 management) is plausible, but there are multiple inconsistencies and risky behaviors (undeclared required credentials, remote npx execution, and no install spec) that warrant caution before installing.
Guidance: Do not install blindly. Specific things to check before using or deploying: - The registry metadata should list required env vars (API_KEY etc.); ask the publisher to correct metadata so the platform can warn about secrets. - Review and verify the MCP_HTTP_URL value (https://mcp.yunpan.com/mcp by default). Only use endpoints you trust. If unsure, block network access or run in an isolated environment. - Provide a least-privilege API_KEY (rotate it after testing) and avoid using high-privilege keys during evaluation. - The executor may call npx to download and run @aicloud360/mcp-server-disk@latest — that downloads remote code at runtime. Prefer a pinned, audited package or disable MCP_UPLOAD_FALLBACK to avoid unexpected npx execution. - Because file-upload-stdio requires absolute local paths, the skill can read arbitrary local files you pass to it; avoid giving paths to sensitive files and consider running the skill on a sandboxed/ephemeral host. - Ask the author for an explicit install spec and package provenance (signed releases, GitHub repo, or official homepage). If provenance is unknown, treat the skill as higher risk. If you cannot verify the endpoint/package/source or cannot restrict execution environment, avoid installing or run only with minimal test credentials in an isolated environment.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and code require an API_KEY and other MCP_* settings to talk to an external MCP endpoint (e.g., MCP_HTTP_URL), which is consistent with a cloud-disk tool. However the registry metadata declared no required environment variables or primary credential — that mismatch is incoherent and misleading. requirements.txt also lists an 'mcp' package even though executor.py does not import it directly, which is another discrepancy.
Instruction Scope: noteThe runtime instructions direct the agent to run executor.py with many tools that legitimately need network and (for uploads) local file access. file-upload-stdio explicitly requires absolute local paths, and the executor supports falling back to an npx-based process to access local files. Reading local files for upload is expected for this purpose, but it does expand the skill's scope to local filesystem access and remote code execution via npx.
Install Mechanism: concernThere is no install spec (instruction-only packaging) but a requirements.txt is present. The executor can spawn npx to fetch and run an npm package (@aicloud360/mcp-server-disk@latest) at runtime — executing code fetched from npm is higher risk because it downloads and runs remote code locally. No package pinning or verified release URLs are provided. Overall the install/execution mechanism is under-specified and potentially unsafe.
Credentials: concernThe skill requires API_KEY, and optional ECS_ENV, SUB_CHANNEL, MCP_MODE, MCP_HTTP_URL and fallback controls (documented in SKILL.md and read by executor.py), which are reasonable for a cloud-disk client. However the registry metadata did not declare these required env vars or a primary credential. That omission prevents platform-level safeguards and is misleading. Also note that providing an API key plus a remote MCP endpoint gives the skill capability to read/write cloud data and (via npx) to exfiltrate local files if misused.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It can invoke subprocesses (node/npx) and make network calls, which is expected for this kind of tool. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is normal but combined with other concerns increases risk.