Taiji Topo File Downloader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: taiji-topo-file-downloader Version: 1.1.0 The skill bundle automates file downloads from the internal platform 'a.taiji.woa.com' but includes high-risk shell commands in SKILL.md. Specifically, the shell script uses 'eval' and lacks sanitization for the '$file_name' variable in a 'mv' command, which presents a path traversal vulnerability. While the behavior appears aligned with its stated purpose, the use of shell execution to manipulate local files in '~/Downloads' without robust input validation is a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access and download Taiji files available to the user's current browser session.
The skill directs automation through the user's Chrome profile on the Taiji domain, so actions are performed with whatever logged-in session and account permissions the browser already has.
`browser.tabs(profile="chrome")` ... `targetUrl` 不含 `a.taiji.woa.com`
Use it only on the intended Taiji tab and account, and confirm the target file before allowing the automated download.
A UI change could cause the automation to click an unintended row action instead of download.
The DOM fallback clicks the first link or button in the matched file row, assuming it is the download control. This is purpose-aligned, but could click the wrong control if the UI order changes.
`const ops = hit.querySelectorAll('a,button');` ... `ops[0].click();`Prefer a clearly labeled download control when available, and verify the row/action before using the DOM fallback.
If another Chrome download is happening, the wrong temporary file could be moved or renamed.
The documented shell template executes local commands and moves the newest Chrome temporary download file into a renamed output path. This supports the stated purpose, but can affect the wrong temporary file during concurrent downloads and relies on the provided filename being safe.
`temp_file=$(ls -t ~/Downloads/.com.google.Chrome.* 2>/dev/null | head -1)` ... `mv "$temp_file" "$out_dir/$file_name"`
Run the shell step only after the intended download, avoid concurrent downloads, sanitize the output filename, and consider replacing `eval echo "$base_dir"` with a safer fixed path such as `$HOME/Downloads`.