Skillv1.0.10

ClawScan security

Baidu Netdisk Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 3:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (Baidu Netdisk access) but contains several inconsistencies and overclaims (OAuth one‑click without a client id, misleading encryption claims, streaming/large‑file handling that is not implemented), so review before installing.
Guidance: This skill appears to implement Baidu Netdisk operations, but there are several mismatches you should consider before installing: - OAuth workflow: The documentation promises a one‑click OAuth via a provided enterprise app (no API application needed), but the code expects an API Key/Secret from config or environment. Expect you may need to supply your own Baidu API credentials for the auth flow to work. - Token encryption: Tokens are stored encrypted, but if you do not set ENCRYPTION_KEY the code derives the key from a hardcoded string. To avoid predictable encryption, set ENCRYPTION_KEY to a strong secret in your environment before authorizing. - Large files / streaming: The README claims streaming and zero local storage; the upload implementation reads the whole file into memory (fs.readFileSync), which can fail or OOM on large files. Treat the large‑file support claim as optimistic and test carefully. - Metadata mismatches: The published metadata says instruction‑only but the package contains runnable code/bin entries; confirm the source repository (links point to GitHub niukesi) and audit the code yourself if you have sensitive data. Recommended actions: - Inspect src/auth.js and src/baidu-api.js in the repo (they are present) to verify endpoints and keys. - Set ENCRYPTION_KEY env var to a strong secret before authorizing to avoid use of the built‑in key. - Prefer using your own Baidu API Key/Secret (via config or BAIDU_API_KEY/BAIDU_SECRET_KEY) rather than relying on any undocumented shared client_id. - Run the included test-local.sh in a controlled environment and monitor network traffic (mitmproxy) to confirm only pan.baidu.com/openapi.baidu.com are contacted. - Avoid installing on highly privileged hosts until you verify behavior (especially for large uploads). If you need higher assurance, ask the publisher for the exact enterprise client_id they claim to use, or audit/compile/install the package from the authoritative GitHub repo yourself.

Review Dimensions

Purpose & Capability: concernName/description match the code (list/search/download/upload via Baidu APIs). However the README/SKILL.md repeatedly claim an "OAuth 一键授权 / 使用我们的企业应用，无需申请百度 API", yet the code does not embed a client_id/client_secret — auth.js expects apiKey/secretKey from config or environment. That makes the "no API application required" claim misleading. Other capability claims (AES key derived from user password, stream uploads that avoid local storage) are also contradicted by the implementation.
Instruction Scope: concernRuntime instructions are narrowly scoped to interacting with Baidu endpoints and local config. However the docs claim '流式读取、不占用本地磁盘' and '用户密钥由密码派生'; the actual code saves encrypted tokens to ~/.config/configstore/baidu-netdisk-skill.json (Conf) and uses a built-in static secret unless ENCRYPTION_KEY is provided. The upload implementation reads the entire file into memory (fs.readFileSync) which conflicts with the 'streaming' / 'zero local storage' claims and may be problematic for large files.
Install Mechanism: noteRegistry metadata says "instruction-only (no install spec)" but the package contains code, package.json and bin entries. SKILL.md suggests installing via npx/github. There is no remote download from arbitrary hosts; dependencies are standard npm packages. Overall install risk is moderate and typical for an npm CLI package, but the metadata/code mismatch is worth noting.
Credentials: concernThe skill does not request unrelated cloud credentials. It optionally reads BAIDU_API_KEY/BAIDU_SECRET_KEY and ENCRYPTION_KEY from env. However: (1) If ENCRYPTION_KEY is not set, the code derives an AES key from a hardcoded string ('baidu-netdisk-skill-secret-2026'), meaning encrypted tokens are protected with a predictable key (contradicts doc claims that key is derived from a user password). (2) SKILL.md/README suggest OAuth can be used without user API keys (implying a built-in enterprise client id), but the code requires apiKey/secretKey/config to build the authorize URL — a functional/credential mismatch.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It stores encrypted tokens in the user's config (~/.config/configstore/baidu-netdisk-skill.json) which is expected for this purpose. skill.json declares 'tools': ['exec'] though the code does not spawn arbitrary shell commands; this declaration may grant broader agent exec capability than strictly necessary.