Back to skill

Security audit

夸克网盘Skill - quarkclouddrive

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Quark Drive helper, but it also installs and updates local executable code with broad system changes and handles cloud-drive credentials in ways that warrant Review before installation.

Install only if you trust the publisher and are comfortable granting this skill access to your Quark Drive account and local environment. Expect it to store local auth state, upload/download/share/move cloud files when instructed, cache search metadata briefly, and modify your shell environment. Be especially cautious with public share links, recursive folder uploads, and running the installer on machines that hold sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires shell execution and performs installer/uninstaller actions, but it does not declare corresponding permissions in metadata. This weakens the trust boundary for users and reviewers because a skill presented as a cloud-drive helper can still execute system-level commands and modify the local environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose focuses on Quark Drive file operations, but the skill also installs Node.js, downloads remote packages, edits PATH/startup files, creates global launchers, updates local docs, and uninstalls local components. That mismatch is dangerous because it hides substantial system-modifying behavior behind a seemingly routine productivity skill, increasing the chance of unintended code execution and persistence.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation widens file-organize from a copy-only media organization action into a workflow that can ultimately move files after a secondary confirmation. That conflicts with the higher-level skill constraint saying explicit move requests must not use file-organize, and can cause an agent to invoke a destructive path users did not intend under the guise of a non-destructive organize feature.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file contains contradictory instructions: one rule says explicit move requests must not trigger album organization, while later guidance tells the agent to continue the same organize flow with organize-move. In practice, contradictory safety rules are dangerous because agents may follow the later, more operationally specific instruction and perform unintended file relocation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The directory-handling guidance creates conflicting behavior for destination selection: it says the agent must search for a user-specified folder and, if not found, proceed with the CLI default location. In a file-transfer skill, this ambiguity can cause files from shared links to be saved into an unintended location, which risks privacy leaks, user confusion, and misplacement of sensitive content. The surrounding skill context makes this more dangerous because the tool performs authenticated cloud-drive actions, so even small parameter-handling inconsistencies directly affect real user data.

Description-Behavior Mismatch

Low
Confidence
78% confidence
Finding
The documentation explicitly instructs the agent to use a locally written artifact containing full search results for filtering, sorting, and follow-on actions. That expands the data flow beyond the immediate search response and creates a persistence surface where complete file metadata remains on disk, increasing the chance of unintended reuse, over-broad subsequent actions, or exposure through other local processes or logs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The CLI contains a self-update workflow that downloads a ZIP from a remote endpoint, extracts it, and replaces files in the installed scripts directory. This is outside the stated skill purpose of Quark Drive file operations/authentication and materially expands the attack surface, especially because a compromised update endpoint or transport path could deliver malicious code for local execution.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation criteria are broad enough that ordinary requests about files, authentication, search, upload, download, or summary could trigger this skill automatically. In context, that is risky because activation leads into shell-based installers and cloud-account operations, so an overly broad trigger can cause unexpected execution in situations where the user did not knowingly request this specific tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation instructions say to run install.sh, which can auto-install Node.js, download a remote ZIP, extract it, modify PATH, and register global commands, but the warning to the user is not proportionate to these system changes. This is dangerous because it normalizes executing a remote bootstrapper with persistence-related side effects without strong disclosure or step-by-step consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates running install.sh before every CLI command, meaning routine user actions can repeatedly trigger network access and environment-changing logic. In context, this makes the risk more severe because even benign file searches or summaries may implicitly execute a bootstrap script that can update binaries, alter configuration, or fail in ways unrelated to the user’s requested task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer proceeds to overwrite or install files into the target directory without any confirmation prompt, despite performing broad filesystem changes. This increases the risk of accidental replacement of existing local files or unintended installation of remote content, especially during update flows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script fetches remote setup scripts from NodeSource and pipes them directly into sudo bash, then installs packages with elevated privileges. This creates a high-risk remote code execution path where compromise of the remote endpoint, network path, or script contents leads to root-level command execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer downloads a remote ZIP from a URL obtained at runtime, extracts it, and later copies its contents into executable locations without warning or integrity verification. This exposes users to supply-chain compromise and silent replacement of local command files if the remote artifact is malicious or tampered with.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persistently edits shell startup files to prepend its install directory to PATH without prior confirmation. This can unexpectedly alter command resolution and create lasting environment changes that are hard for users to notice or undo.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to submit cloud-file content to backend assistant APIs for summary and Q&A, but does not clearly warn that file contents or derived data may be transmitted to and processed by a remote service. This can cause unintended disclosure of sensitive documents, especially because the skill is explicitly designed for analyzing user-stored files at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs the agent to run `bash install.sh` directly for self-update without any validation, provenance check, integrity verification, or user warning that local code and environment will be modified. If `install.sh` is replaced, tampered with, or sourced from an untrusted location, this creates a supply-chain and arbitrary code execution risk on the local system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill writes complete search results to a local JSONL file under the user's home directory, including file metadata for potentially sensitive cloud-drive contents, without any user-facing warning or consent flow. Silent local persistence increases privacy and security risk because sensitive filenames, links, timestamps, and identifiers may remain accessible to other local users, processes, backups, or forensic recovery beyond the user’s expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports generating public and private share links for arbitrary files and instructs the agent to display the resulting URL and passcode, but it does not require any confirmation, sensitivity check, or warning that sharing exposes file access to others. In a file-management skill that may operate on user cloud storage, this omission can lead to accidental data exposure if the agent shares sensitive files or if the user does not understand the implications of public or long-lived links.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to upload local files or entire folders, including recursive directory contents, to a remote cloud service but does not require any explicit user-facing warning or confirmation about the data leaving the local environment. In an agent setting, this increases the risk of unintended exfiltration of sensitive files, especially when users refer to a folder path casually or do not realize subdirectories will also be uploaded.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Multiple API builders append access_token directly into request URLs, which makes tokens far easier to leak via logs, error messages, proxies, browser history-equivalents, and telemetry. In this file, the risk is amplified because the CLI also has verbose curl-style request logging and tracing, so secrets can escape both to disk and to remote observability systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Multiple API builders append access_token directly into request URLs, which makes tokens far easier to leak via logs, error messages, proxies, browser history-equivalents, and telemetry. In this file, the risk is amplified because the CLI also has verbose curl-style request logging and tracing, so secrets can escape both to disk and to remote observability systems.

External Transmission

Medium
Category
Data Exfiltration
Content
`)}progress(e,t,r){let n=Number.isFinite(t)?t:0,i=Number.isFinite(r)?r:0,o=i>0?Math.round(n/i*100):0,a={msg:"\u8FDB\u884C\u4E2D",data:{current:n,total:i,percent:Number(o)},action:e,type:"progress"};this.flushResult(a)}spinner(e){return{stop(){},message(){}}}debug(e){this.verbose&&console.error(yt.default.dim(`[DEBUG] ${e}`))}flushResult(e){this.writeStdout(JSON.stringify(e))}writeStdout(e){process.stdout.write(e+`
`)}};K();V();var Ke=O(require("path")),Ou=O(require("os")),ut=O(require("fs")),Lm=!0,Yt=Lm?".quarkclouddrive":".quark-drive",ba="config.json",Uu=`${Yt}/storage.json`,Lu=`${Yt}/search-results`,Ii="./downloads";var Nu=Ke.join(Ou.homedir(),Yt);function Nm(){return Ke.join(Nu,ba)}function Mm(){return Ke.join(Ke.dirname(process.cwd()),Yt,ba)}function Fm(){return Ke.join(process.cwd(),Yt,ba)}function va(){let s=[Nm(),Mm(),Fm()];return[...new Set(s)]}var Mu="cli";function Fu(s){Mu=(s??"").trim().replace(/[^a-zA-Z0-9._-]/g,"_")||"cli"}function $u(){return Mu}var $m="qrcode";function qu(){return Ke.join(Nu,$m)}function Hu(){let s=qu();if(ut.existsSync(s))for(let e of ut.readdirSync(s))try{ut.rmSync(Ke.join(s,e),{recursive:!0,force:!0})}catch{}}function zu(){let s=qu();return ut.existsSync(s)||ut.mkdirSync(s,{recursive:!0}),Ke.join(s,"unauthorize-qr.png")}function An(s=new Date){let e=(i,o=2)=>String(i).padStart(o,"0"),t=-s.getTimezoneOffset(),r=t>=0?"+":"-",n=Math.abs(t);return`${s.getFullYear()}-${e(s.getMonth()+1)}-${e(s.getDate())} ${e(s.getHours())}:${e(s.getMinutes())}:${e(s.getSeconds())}.${e(s.getMilliseconds(),3)} ${r}${e(Math.floor(n/60))}:${e(n%60)}`}function wn(s){let e=/[?&]req_id=([^&]+)/.exec(s);return e?decodeURIComponent(e[1]):""}function Pr(s){return s?s.length<=12?s:`${s.slice(0,12)}\u2026`:""}var B=class extends Error{constructor(e,t,r,n=1,i={}){super(r),this.name="CliExitError",this.exitCode=n,this.action=e,this.errorCode=t,this.errorMsg=r,this.data=i}},Ci=class{constructor(e){this.verbose=e.verbose,this.output=new ws(this.verbose)}finish(e,t={}
...[truncated 27 chars]
Confidence
95% confidence
Finding
curl log session - ${An()} ===== `,"utf8")}function Ec(){Zt=void 0}function Fa(s,e,t,r,n=!1){if(Zt)try{let i=An(),o=wn(e),a=o?` req_id=${o}`:"",l=Object.entries(t).filter(([,h])=>h!==void 0).map(([h,m

Context Leakage

High
Category
Data Exfiltration
Content
`)}progress(e,t,r){let n=Number.isFinite(t)?t:0,i=Number.isFinite(r)?r:0,o=i>0?Math.round(n/i*100):0,a={msg:"\u8FDB\u884C\u4E2D",data:{current:n,total:i,percent:Number(o)},action:e,type:"progress"};this.flushResult(a)}spinner(e){return{stop(){},message(){}}}debug(e){this.verbose&&console.error(yt.default.dim(`[DEBUG] ${e}`))}flushResult(e){this.writeStdout(JSON.stringify(e))}writeStdout(e){process.stdout.write(e+`
`)}};K();V();var Ke=O(require("path")),Ou=O(require("os")),ut=O(require("fs")),Lm=!0,Yt=Lm?".quarkclouddrive":".quark-drive",ba="config.json",Uu=`${Yt}/storage.json`,Lu=`${Yt}/search-results`,Ii="./downloads";var Nu=Ke.join(Ou.homedir(),Yt);function Nm(){return Ke.join(Nu,ba)}function Mm(){return Ke.join(Ke.dirname(process.cwd()),Yt,ba)}function Fm(){return Ke.join(process.cwd(),Yt,ba)}function va(){let s=[Nm(),Mm(),Fm()];return[...new Set(s)]}var Mu="cli";function Fu(s){Mu=(s??"").trim().replace(/[^a-zA-Z0-9._-]/g,"_")||"cli"}function $u(){return Mu}var $m="qrcode";function qu(){return Ke.join(Nu,$m)}function Hu(){let s=qu();if(ut.existsSync(s))for(let e of ut.readdirSync(s))try{ut.rmSync(Ke.join(s,e),{recursive:!0,force:!0})}catch{}}function zu(){let s=qu();return ut.existsSync(s)||ut.mkdirSync(s,{recursive:!0}),Ke.join(s,"unauthorize-qr.png")}function An(s=new Date){let e=(i,o=2)=>String(i).padStart(o,"0"),t=-s.getTimezoneOffset(),r=t>=0?"+":"-",n=Math.abs(t);return`${s.getFullYear()}-${e(s.getMonth()+1)}-${e(s.getDate())} ${e(s.getHours())}:${e(s.getMinutes())}:${e(s.getSeconds())}.${e(s.getMilliseconds(),3)} ${r}${e(Math.floor(n/60))}:${e(n%60)}`}function wn(s){let e=/[?&]req_id=([^&]+)/.exec(s);return e?decodeURIComponent(e[1]):""}function Pr(s){return s?s.length<=12?s:`${s.slice(0,12)}\u2026`:""}var B=class extends Error{constructor(e,t,r,n=1,i={}){super(r),this.name="CliExitError",this.exitCode=n,this.action=e,this.errorCode=t,this.errorMsg=r,this.data=i}},Ci=class{constructor(e){this.verbose=e.verbose,this.output=new ws(this.verbose)}finish(e,t={}
...[truncated 27 chars]
Confidence
98% confidence
Finding
log session

Self-Modification

High
Category
Rogue Agent
Content
`).join(`
#   `)}`}let l=a||wn(e),d=l?` req_id=${l}`:"",u=["",`# [${i}] Response ${t??"-"}${d} ${s} ${e}`,o,""].filter(c=>c!=="").join(`
`);Dr.default.appendFileSync(Zt,u+`
`,"utf8")}catch{}}var d_=new Set([11001,11017,12003,12004]),u_=new Set([11e3]),c_=new Set(["EPIPE","ECONNRESET","ECONNREFUSED","ETIMEDOUT","EHOSTUNREACH"]),vc=1;function p_(s){if(!s||typeof s!="object"||Array.isArray(s))return!1;let e=s;return typeof e.accessToken=="string"&&(e.clientToken===void 0||typeof e.clientToken=="string")&&typeof e.userId=="string"}function Ui(s){return s<1024?`${s}B`:s<1024*1024?`${(s/1024).toFixed(1)}KB`:s<1024*1024*1024?`${(s/1024/1024).toFixed(2)}MB`:`${(s/1024/1024/1024).toFixed(2)}GB`}var vn=class{constructor(e){this.type="network";this.abortControllers=new Map;this.retryMap=new Map;this.socketRetryMap=new Map;this.debug=e?.debug??!1;let t=void 0;if(this.proxyDetected=!!t,t&&(this.proxyUrl=new URL(t)),this.proxyDetected&&this.proxyUrl){let r=this.proxyUrl.hostname,n=parseInt(this.proxyUrl.port||"8888",10);this.httpAgent=new bn.default.Agent({keepAlive:!0}),this.httpsAgent=new xi(r,n),this.log(`Proxy detected: ${this.proxyUrl.href}, HTTPS requests will tunnel through proxy`)}else this.httpAgent=new bn.default.Agent({keepAlive:!0}),this.httpsAgent=new Li.default.Agent({keepAlive:!0});this.setCurlLogFile(e?.curlLogFile)}setCurlLogFile(e){e?Cc(e):Ec()}log(e){this.debug&&console.debug(`[NodeNetworkAdapter] ${e}`)}interceptPanServerRequest(e,t){let r=new URL(e),n=r.pathname,i=lu[n];if(!i)return{url:e,intercepted:!1};if(this.log(`Pan server intercept: ${n} \u2192 ${i.panPath}`),r.hostname=du(i),r.port="",r.pathname=i.panPath,i.panQuery){let a=new URLSearchParams(i.panQuery);for(let[l,d]of a)r.searchParams.set(l,d)}for(let a of au)delete t[a];let o=r.toString();return this.log(`Pan server intercepted URL: ${o}`),{url:o,intercepted:!0}}convertPanResponseToApiResponse(e){if(typeof e!="object"||e===null)return e;let t=e;if(typeof t.status=="number"&&t.status>=100&&"code"in t)
...[truncated 28 chars]
Confidence
94% confidence
Finding
remove check

Self-Modification

High
Category
Rogue Agent
Content
`).join(`
#   `)}`}let l=a||wn(e),d=l?` req_id=${l}`:"",u=["",`# [${i}] Response ${t??"-"}${d} ${s} ${e}`,o,""].filter(c=>c!=="").join(`
`);Dr.default.appendFileSync(Zt,u+`
`,"utf8")}catch{}}var d_=new Set([11001,11017,12003,12004]),u_=new Set([11e3]),c_=new Set(["EPIPE","ECONNRESET","ECONNREFUSED","ETIMEDOUT","EHOSTUNREACH"]),vc=1;function p_(s){if(!s||typeof s!="object"||Array.isArray(s))return!1;let e=s;return typeof e.accessToken=="string"&&(e.clientToken===void 0||typeof e.clientToken=="string")&&typeof e.userId=="string"}function Ui(s){return s<1024?`${s}B`:s<1024*1024?`${(s/1024).toFixed(1)}KB`:s<1024*1024*1024?`${(s/1024/1024).toFixed(2)}MB`:`${(s/1024/1024/1024).toFixed(2)}GB`}var vn=class{constructor(e){this.type="network";this.abortControllers=new Map;this.retryMap=new Map;this.socketRetryMap=new Map;this.debug=e?.debug??!1;let t=void 0;if(this.proxyDetected=!!t,t&&(this.proxyUrl=new URL(t)),this.proxyDetected&&this.proxyUrl){let r=this.proxyUrl.hostname,n=parseInt(this.proxyUrl.port||"8888",10);this.httpAgent=new bn.default.Agent({keepAlive:!0}),this.httpsAgent=new xi(r,n),this.log(`Proxy detected: ${this.proxyUrl.href}, HTTPS requests will tunnel through proxy`)}else this.httpAgent=new bn.default.Agent({keepAlive:!0}),this.httpsAgent=new Li.default.Agent({keepAlive:!0});this.setCurlLogFile(e?.curlLogFile)}setCurlLogFile(e){e?Cc(e):Ec()}log(e){this.debug&&console.debug(`[NodeNetworkAdapter] ${e}`)}interceptPanServerRequest(e,t){let r=new URL(e),n=r.pathname,i=lu[n];if(!i)return{url:e,intercepted:!1};if(this.log(`Pan server intercept: ${n} \u2192 ${i.panPath}`),r.hostname=du(i),r.port="",r.pathname=i.panPath,i.panQuery){let a=new URLSearchParams(i.panQuery);for(let[l,d]of a)r.searchParams.set(l,d)}for(let a of au)delete t[a];let o=r.toString();return this.log(`Pan server intercepted URL: ${o}`),{url:o,intercepted:!0}}convertPanResponseToApiResponse(e){if(typeof e!="object"||e===null)return e;let t=e;if(typeof t.status=="number"&&t.status>=100&&"code"in t)
...[truncated 28 chars]
Confidence
94% confidence
Finding
remove check

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.