Bdpan Storage

Security checks across malware telemetry and agentic risk

Overview

This Baidu Netdisk skill is mostly coherent, but first use can automatically download and run a local CLI installer without a separate user approval step.

Install only if you are comfortable with a Baidu Netdisk integration that can run shell scripts, install a local bdpan CLI, and keep a persistent Baidu login token. Before first use, explicitly approve any installer or updater, review file paths and share-link operations, and avoid using it on shared or untrusted machines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to execute shell commands (`bdpan`, `bash install.sh`, `login.sh`, `update.sh`) but does not declare corresponding permissions. This creates a governance and sandboxing gap: the platform or reviewer may treat the skill as lower-risk than it actually is, enabling command execution, package installation, and local state changes without explicit permission scoping.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose says the skill manages Baidu Netdisk files, but the document also authorizes software installation, binary download-and-execute, login/auth handling, uninstallation, and self-update behavior. This mismatch is dangerous because users and policy systems may consent to routine file management while the skill performs far more sensitive operations affecting the host system, credentials, and persistent software state.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The reference documents an uninstall capability that deletes authentication state, configuration, and the local binary, which exceeds the file-management scope described in the manifest. Even if intended for maintenance, exposing destructive lifecycle operations through a skill increases the chance an agent may remove software or credentials based on user phrasing that should have been limited to netdisk file operations.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The update command downloads a zip archive and overwrites local skill files, which is effectively self-modifying code outside the stated skill scope. Any mechanism that fetches and replaces executable or prompt content can become a supply-chain risk if the source, integrity checks, or user consent are weak, and it broadens the skill from file management into local code deployment.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Using the generic keyword '网盘' as a trigger is overly broad and can cause the skill to activate in contexts unrelated to Baidu Netdisk. In an agent setting, overbroad triggering can lead to unintended command execution, login prompts, or file operations when the user meant another storage provider or was speaking generally.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Allowing activation based on 'recent conversation context' without a clear boundary makes trigger decisions ambiguous and stateful in a risky way. The agent may continue performing Netdisk operations after topic drift or after the user has shifted to a different service, increasing the chance of unintended actions on files, credentials, or remote storage.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The upload/share examples instruct users to transmit local files to Baidu Netdisk and generate public share links without any disclosure that file contents and metadata leave the local system. This can lead to accidental disclosure of sensitive documents or over-sharing when users follow examples verbatim.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The download, move, copy, rename, mkdir, and transfer examples perform state-changing operations on local filesystems and cloud storage without warning that they will create, overwrite, move, or otherwise modify data. In an agent setting, omission of these side-effect warnings increases the risk of unintended data loss, clutter, or destructive changes from routine prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal