123pan upload and share
v1.0.4Upload files to 123pan (123云盘) and generate shareable links. Use when users need to upload files to 123pan and get links for sharing. Supports short share li...
⭐ 0· 380·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, manifest, SKILL.md and code all consistently implement 123pan uploads (API for <1GB, chunked uploads, WebDAV/rclone for large files). Required env vars (PAN123_ACCESS_TOKEN, PAN123_DIRECT_FOLDER_ID, optional WebDAV creds) match the stated functionality and no unrelated credentials or external services are requested.
Instruction Scope
Runtime instructions and code stay within the upload/share workflow (calling 123pan API endpoints and WebDAV/rclone). The SKILL.md explicitly warns about rclone config leaking other cloud credentials and recommends using an isolated RCLONE_CONFIG. Note: the scripts will read local config.json (in the skill) and may read ~/.config/rclone/rclone.conf if RCLONE_CONFIG is not set; webdav script also inserts the user's local site-packages path to sys.path to import webdav3. These behaviors are relevant to scope and are documented but worth attention.
Install Mechanism
No install spec (instruction-only installation), which means the included Python scripts will run directly. The package does not auto-download code from arbitrary URLs. However, the manifest/README do not fully enumerate Python dependencies (requests is mentioned; webdav3 is used but not listed in manifest). The scripts call subprocesses (rclone) and expect rclone to be present or at a default path; they do not auto-install rclone.
Credentials
Environment variables requested are proportional and specific to the 123pan use case: PAN123_ACCESS_TOKEN and PAN123_DIRECT_FOLDER_ID are required; PAN123_WEBDAV_USER/PASS, RCLONE_BIN and RCLONE_CONFIG are optional and justified for WebDAV/rclone flows. There are no unrelated tokens/keys requested.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request permanent platform-wide privileges or modify other skills. It executes user-local commands (Python, rclone) at runtime as expected for an uploader.
Assessment
This skill is internally consistent with its stated purpose, but take these precautions before installing: (1) Source is unknown — review the included scripts yourself or run them in a sandbox if you don't trust the author. (2) Do not place unrelated credentials in your default rclone config: set RCLONE_CONFIG to an isolated file and only put 123pan credentials there, or use environment variables. (3) Provide only a 123pan API token with the minimal required scope (don't reuse broad or highly privileged tokens). (4) Ensure Python dependencies (requests, webdav3) are installed in an isolated virtualenv to avoid unexpected package interactions. (5) The scripts may perform long-running polling and spawn rclone subprocesses; expect network traffic only to 123pan endpoints and rclone destinations. (6) If you want higher assurance, run the upload scripts manually (not via an automated agent) the first time to confirm behavior and outputs.Like a lobster shell, security has layers — review code before you run it.
latestvk9715fwr74twy63mdtvy2d34cd83371j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.