baidunetdisk
v1.0.1支持百度网盘文件查看、搜索、分享链接提取、一键转存及目录创建的综合管理功能。
⭐ 3· 752·4 current·4 all-time
byMaxStormSpace@lilei0311
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and SKILL.md implement Baidu Netdisk operations that legitimately require BDUSS/STOKEN credentials; however, the registry summary at the top lists no required environment variables or primary credential, which is inconsistent with the skill.json and SKILL.md that both require secrets. This mismatch is a red flag about metadata accuracy or packaging.
Instruction Scope
SKILL.md stays within the declared purpose: it instructs how to provide BDUSS/STOKEN (via config.json or environment variables), how to run the included Python script, and warns about sensitive data. It directs storing credentials locally (config.json) and manual extraction via browser devtools. There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only) and dependencies are minimal (requests). README mentions tqdm while SKILL.md does not — minor inconsistency but low install risk. No remote downloads or archives are used.
Credentials
The skill requires BDUSS and STOKEN, which grant full access to a Baidu Netdisk account — this is proportionate to the functionality but highly sensitive. The top-level registry metadata incorrectly shows no required credentials, increasing risk of accidental credential disclosure. The skill.json marks bduss and stoken required and secret (which is appropriate), but users must understand these tokens are equivalent to full account access and should not be provided from a primary account.
Persistence & Privilege
always:false (normal). The skill.json includes a 'tools': ['exec'] field which could allow agent shell execution capabilities in some runtimes; the Python script itself doesn't appear to perform system-wide modifications. Verify whether the platform will grant an 'exec' tool and whether that's necessary.
What to consider before installing
This skill does what it says, but it needs BDUSS and STOKEN — tokens that effectively give full access to your Baidu Netdisk. Before installing: 1) Verify the skill's source (the package metadata links to a GitHub URL but the 'Source' and 'Homepage' in the top summary are unknown/missing). 2) Prefer using a throwaway/test Baidu account rather than your main account. 3) Provide credentials via environment variables rather than writing them into repo files, and protect config.json if you use it (tight file permissions). 4) Confirm you trust the code: review scripts/main.py (network calls go to pan.baidu.com and share verification endpoints) and ensure there are no hidden exfil endpoints. 5) Note the registry metadata inconsistency (it doesn't list required creds) — ask the publisher or inspect skill.json/SKILL.md before granting secrets. 6) If you are uncomfortable, do not install or run the skill with real account tokens.Like a lobster shell, security has layers — review code before you run it.
baiduvk975169xpxev0wvsfw43kj5kf5817ncxcloudvk975169xpxev0wvsfw43kj5kf5817ncxlatestvk9735s66grj0wc9gym28x3b6rs81703tnetdiskvk975169xpxev0wvsfw43kj5kf5817ncxpanvk975169xpxev0wvsfw43kj5kf5817ncxstoragevk975169xpxev0wvsfw43kj5kf5817ncx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.