qshell-copilot
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Qiniu qshell helper, but it can use your Qiniu credentials to change or delete cloud-storage data, so review commands carefully.
Install only if you intend to let the assistant operate qshell for your Qiniu account. Review bucket names, paths, overwrite/delete/move operations, and CDN refreshes before approving them, and use limited-scope Qiniu credentials where possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the assistant could change or remove files in a Qiniu bucket; deletion may be hard to recover without versioning.
The skill exposes qshell commands that can mutate or delete remote cloud-storage objects. The delete workflow includes an explicit confirmation safeguard, making this disclosed and purpose-aligned rather than suspicious.
| Delete file | `qshell delete <Bucket> <Key>` | ... **Before deleting**: Always run `qshell stat` first ... Wait for explicit confirmation before executing `qshell delete`.
Confirm bucket names, object keys, and operation type before approving mutating commands, especially delete, move, overwrite, CDN refresh, and bucket-creation operations.
Anyone or any agent with access to the configured qshell account may be able to manage the associated Qiniu storage resources.
The skill depends on Qiniu account credentials and local qshell account state. This is expected for a Qiniu management skill, but those credentials grant meaningful account authority.
`qshell user ls` ... `qshell account <AccessKey> <SecretKey> <Name>` ... Direct them to [Qiniu Key Management](https://portal.qiniu.com/user/key) to get their AK/SK.
Use least-privilege Qiniu keys where possible, avoid sharing SecretKeys in chat unnecessarily, and rotate credentials if they may have been exposed.
Installing the wrong or tampered binary could affect the local machine and any Qiniu credentials used through it.
The install guide directs users to install an external CLI binary into PATH. This is normal for qshell, but the artifact does not pin a version or provide checksum verification.
Download from [qshell GitHub Releases](https://github.com/qiniu/qshell/releases) ... `chmod +x qshell` ... `sudo mv qshell /usr/local/bin/`
Install qshell only from Qiniu’s official release channel or package manager, prefer verified releases, and avoid running binaries from untrusted mirrors.