Bdpan Storage
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Baidu Netdisk file-management skill, but it can automatically download and run a CLI installer on first use, so it should be reviewed before installation.
Install only if you are comfortable with a Baidu Netdisk integration that can run local shell scripts, install the bdpan CLI, and use a persistent Baidu login token. Before first use, explicitly approve any installer or updater, confirm file paths and share operations, and avoid using it on shared or untrusted machines.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to use the netdisk feature could cause the agent to install software automatically on the local machine.
The agent is instructed to run a non-interactive installer automatically when the CLI is missing, rather than requiring a separate explicit user approval at install time.
`command -v bdpan` 检查是否已安装 bdpan CLI,未安装则执行 `bash @skills/bdpan-storage/scripts/install.sh --yes` 自动安装
Require explicit user approval before running install.sh, and make the required bdpan binary/install step visible in the registry metadata.
Installing the skill depends on trusting the remote CDN and installer package.
The installer downloads a platform-specific executable from a remote CDN and runs it. The script performs SHA256 validation, but the checksum is also fetched remotely rather than pinned in the skill artifact.
CDN_BASE="https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/${VERSION}" ... curl -fsSL -O "${installer_url}" ... ./${installer_name} --yesUse pinned checksums or signed releases where possible, and tell users clearly that first use may download and run a Baidu-provided CLI installer.
A skill update can change the agent instructions and helper scripts installed locally.
The update script can fetch a remote zip URL from a Baidu configuration endpoint and overwrite the installed skill directory. It asks for confirmation and requires a checksum, so this is disclosed but still worth user review.
CONFIG_API="https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills" ... curl -fsSL -o "$zip_path" "$remote_url" ... unzip -qo "$zip_path" -d "$SKILL_DIR"
Only run updates after an explicit user request, and review the update source/checksum before applying it.
Anyone with access to the local configuration or an active session could potentially affect the user's Baidu Netdisk data.
The skill uses persistent Baidu OAuth credentials stored locally to access the user's Baidu Netdisk account. This is expected for the integration and the docs warn not to output token contents.
Token 存储:Token 加密存储在本地配置文件 ... `~/.config/bdpan/config.json`
Use this only on trusted machines, do not reveal config contents in chat or logs, and run bdpan logout when finished on shared systems.
Mistaken commands could upload, download, move, rename, copy, or share files in the user's Baidu Netdisk app area.
The skill can mutate cloud files and create share links, which is powerful but directly aligned with the stated file-management purpose and scoped to the bdpan app directory.
支持上传、下载、转存、分享、列表查询、搜索、移动、复制、重命名、创建文件夹。所有操作限制在 `/apps/bdpan/` 目录内。
Review paths and sharing requests carefully, especially before creating public share links or moving/renaming files.