Bdpan Storage
v1.2.0百度网盘文件管理 Skill。支持上传、下载、转存、分享、列表查询、搜索、移动、复制、重命名、创建文件夹。当用户提及"百度网盘"/"bdpan"/"网盘"并涉及文件操作(上传/下载/转存/分享/查看/搜索/移动/复制/重命名/新建文件夹/登录/注销)时触发。用户说"上传到网盘"、"从百度网盘下载"、"转存到网盘"...
⭐ 1· 570·11 current·11 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill implements a Baidu Netdisk client: upload/download/transfer/share/list/search/mv/cp/rename/mkdir and includes install/login/update/uninstall scripts. All requested actions and files are consistent with a storage-management skill and the declared working directory (/apps/bdpan/). There are no unrelated credentials or unexpected service access requested.
Instruction Scope
SKILL.md confines operations to /apps/bdpan/, requires explicit user confirmation in ambiguous cases, forbids printing config/token files, and mandates using provided login script rather than raw bdpan login subcommands. The runtime instructions only run local scripts and the bdpan CLI as expected for this functionality.
Install Mechanism
Install/update scripts download a bdpan installer and skill update packages from Baidu domains (issuecdn.baidupcs.com and pan.baidu.com) and perform SHA256 checks. Using the official CDN is expected for this tool, but the checksum file is fetched from the same origin (CDN/config API). That is common but provides less independent assurance than a separately-signed checksum; remote-download-then-exec always carries risk if the remote host or its distribution channel is compromised.
Credentials
The skill declares no required environment variables or credentials. Scripts accept optional environment overrides (BDPAN_BIN, BDPAN_INSTALL_DIR, BDPAN_CONFIG_PATH) which are reasonable for install/config control. The update script also checks for agent-related env vars to avoid silent --yes in agent contexts; this is reasonable and not excessive.
Persistence & Privilege
The skill is not always-enabled and allows autonomous invocation (normal). It writes to user-local paths (~/.local/bin and ~/.config/bdpan) during install and removes them on uninstall — appropriate for a CLI installer. There is no attempt to modify other skills or system-wide agent configuration.
Assessment
This skill appears to do what it says: it manages Baidu Netdisk via a CLI and bundles installer/login/update/uninstall scripts. Key things to consider before installing:
- The install/update process downloads and executes binaries from Baidu's CDN and from pan.baidu.com; although the scripts perform SHA256 checks, the checksum is retrieved from the same remote source. If you need stronger assurance, manually verify checksums from an independent source or install the bdpan CLI yourself and use the skill in skip-download mode (BDPAN_BIN).
- The login flow requires pasting an authorization code into the terminal; never paste tokens or config files into chat. The skill explicitly forbids printing ~/.config/bdpan/config.json — follow that.
- The skill will create binaries in ~/.local/bin and config in ~/.config/bdpan; uninstall.sh removes them and clears tokens. Use uninstall.sh or bdpan logout when finished or in shared environments.
- If you prefer not to allow any remote installs, pre-install the bdpan CLI yourself and run the skill with BDPAN_BIN set.
Overall this is internally coherent for its stated purpose, but as with any remote-installer, only proceed if you trust the upstream CDN and are comfortable with local binary and config files being created.Like a lobster shell, security has layers — review code before you run it.
latestvk9780vgskypt9rrzahcgt592n583m195
License
MIT-0
Free to use, modify, and redistribute. No attribution required.