Back to skill

Security audit

baidupcs-go - 百度网盘命令行工具

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Baidu cloud-storage CLI skill, but it relies on raw account tokens and an unverified external executable for high-impact file operations.

Review before installing. Use BaiduPCS-Go only from a source you trust and verify if possible; avoid pasting full browser cookies or BDUSS/STOKEN into shell commands, and consider a dedicated low-risk account. Manually confirm account identity and paths before any delete, overwrite, share, recycle-bin purge, or configuration-changing command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs users to pass BDUSS, STOKEN, and full cookie values directly on the command line. Command-line arguments are commonly exposed through shell history, process listings, logs, screenshots, and telemetry, so this can leak active session credentials and enable account takeover.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document includes destructive deletion commands, including wildcard and whole-directory deletion, with limited safety emphasis at the point of use. In an agent or copied-command context, such examples materially increase the risk of accidental bulk data loss, especially when users may paste commands without fully understanding scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises destructive operations such as deleting, moving, and renaming files, but does not include any warning about irreversible data loss, confirmation requirements, or safe usage guidance in the core capability description. In a file-management skill tied to a cloud storage account, this omission can lead users or downstream agents to invoke destructive commands casually, increasing the chance of accidental deletion or modification of important data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.