ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

onedrive-photo-batch

v0.2.0

OneDrive 照片批处理与索引技能。用于对 OneDrive 照片做按名称/日期/大小/格式/相册筛选、批量 OCR/多模态识别、full 全量索引、哈希增量跳过、语义检索、移动/上传/删除/恢复与回收站治理。用户提到 OneDrive 批量识别、照片索引、相册级模型策略、限速并发、删除恢复、15天回收站清理...

0· 51·0 current·0 all-time
by@lanqeur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script implements OneDrive browse/download/ocr/index/move/delete/restore functionality that matches the skill description. It uses msal + Microsoft Graph for access and a remote OCR/embedding provider for recognition/embeddings, which is reasonable for this purpose. Minor mismatch: authentication/config is provided via files (config.json & token cache) rather than declared environment variables, which is acceptable but should be noted. Default OCR/embedding endpoints point to https://api.siliconflow.cn (third‑party) — plausible but important to be aware of.
!
Instruction Scope
SKILL.md instructs the agent to copy/edit the provided config and run the script; those instructions only reference the skill's config paths. However, the runtime (scripts/onedrive_photo_batch.py) will also attempt to read a legacy token cache at /root/.openclaw/workspace/token_cache.json (legacy_cache_path). That file path is outside the skill's own workspace and could contain other tokens — the code will deserialize it for migration, which expands scope beyond the stated purpose. The script also writes token cache, DB, logs and a recycle directory under /root paths and will delete local recycle files automatically after 15 days.
Install Mechanism
No install spec (instruction-only + included script). This minimizes install-time risk — dependencies are standard Python packages (msal, requests) that the user must install into a virtualenv. Nothing in the package install mechanism fetches arbitrary remote code at install time.
!
Credentials
The skill requests no platform env vars but requires sensitive configuration values in its config file: Azure auth.client_id (and via device-flow will obtain and persist an access token), and OCR/embedding api_key(s). By default, OCR/embedding traffic is sent to a third‑party endpoint (https://api.siliconflow.cn). That means image bytes and extracted text/embeddings would be transmitted off‑site — proportionate for OCR/semantic indexing but a privacy/exfiltration risk that must be accepted explicitly. Additionally, the runtime's attempt to read a legacy token cache at /root/.openclaw/workspace/token_cache.json could allow it to access unrelated tokens/credentials, which is disproportionate to the OneDrive photo task.
!
Persistence & Privilege
The skill does not set always:true and can be invoked normally. At runtime it will persist a token cache, an SQLite index DB, logs, and local recycle files (tmp_photo). Writing its own token cache and index is expected, but reading/migrating a legacy cache at a global path is a privilege expansion: it may access tokens created by other tools. The skill can perform destructive cloud operations (delete/move/upload) if configuration is changed (mode.read_only=false and auth.scopes set to Files.ReadWrite); by default read_only=true but enabling writes requires deliberate config changes.
What to consider before installing
Key things to consider before installing and running this skill: - Data sent off-site: By default the skill will send images/text/embeddings to the external API at https://api.siliconflow.cn (OCR and embedding). If you are processing sensitive photos, confirm you trust that provider or replace the endpoint with a trusted/local service. - Credentials and token cache: The script requires an Azure client_id and uses MSAL device-flow to obtain a Graph access token which it will persist to disk. It also attempts to read a legacy token cache at /root/.openclaw/workspace/token_cache.json — check that file and path exist only for this skill and do not contain unrelated credentials you don't want accessed. - Writes & destructive ops: By default config.mode.read_only=true (safe). To enable delete/move/upload you must explicitly set mode.read_only=false and upgrade auth.scopes to Files.ReadWrite; only do this after backing up data and reviewing the code. Consider running in a test account or with Files.Read scoped access first. - Local file writes: The skill will create/modify token cache, index DB, logs and a recycle directory (tmp_photo). The skill also runs an automatic 15‑day cleanup that deletes local recycle files; if you need long‑term copies, back them up elsewhere. - Run in isolation: For privacy, run the skill in an isolated environment/user account or container, and use a dedicated Azure app/client_id and dedicated OCR API keys. Change config paths (token_cache, db, tmp_dir, recycle_dir) to locations you control. - Inspect and/or modify endpoints: If you prefer not to use the provided external OCR/embedding service, edit the config to point to a provider you trust or integrate a local OCR model. - If unsure: Because the code reads a global legacy token cache path, treat this as a potential data‑exposure risk. If you cannot audit or control the token cache file, do not run the skill on an environment that holds other sensitive tokens or credentials. If you want, I can point to the exact lines that read/write the legacy cache and the default OCR endpoint so you can review or modify them prior to running.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b72xd63gsm228w4cay6vw183jn3p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments