Taiji Topo File Downloader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access and download Taiji files available to the user's current browser session.
The skill directs automation through the user's Chrome profile on the Taiji domain, so actions are performed with whatever logged-in session and account permissions the browser already has.
`browser.tabs(profile="chrome")` ... `targetUrl` 不含 `a.taiji.woa.com`
Use it only on the intended Taiji tab and account, and confirm the target file before allowing the automated download.
A UI change could cause the automation to click an unintended row action instead of download.
The DOM fallback clicks the first link or button in the matched file row, assuming it is the download control. This is purpose-aligned, but could click the wrong control if the UI order changes.
`const ops = hit.querySelectorAll('a,button');` ... `ops[0].click();`Prefer a clearly labeled download control when available, and verify the row/action before using the DOM fallback.
If another Chrome download is happening, the wrong temporary file could be moved or renamed.
The documented shell template executes local commands and moves the newest Chrome temporary download file into a renamed output path. This supports the stated purpose, but can affect the wrong temporary file during concurrent downloads and relies on the provided filename being safe.
`temp_file=$(ls -t ~/Downloads/.com.google.Chrome.* 2>/dev/null | head -1)` ... `mv "$temp_file" "$out_dir/$file_name"`
Run the shell step only after the intended download, avoid concurrent downloads, sanitize the output filename, and consider replacing `eval echo "$base_dir"` with a safer fixed path such as `$HOME/Downloads`.