ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manage quark-auto-save(QAS, 夸克自动转存, 夸克转存, 夸克订阅) tasks via API.

Manage quark-auto-save(QAS, 夸克自动转存, 夸克转存, 夸克订阅) tasks via API.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 112 · 1 current installs · 1 all-time installs
by@cp0204
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required env vars (QAS_BASE_URL, QAS_TOKEN) and required binaries (curl or python3) are coherent with a remote QAS task-management client. The included Python wrapper performs the expected API calls for listing, adding, running, and deleting tasks.
!
Instruction Scope
SKILL.md explicitly instructs the agent to call GET /data and 'record Actual configuration values' into TOOLS.md as part of initial analysis. /data can contain API token and other configuration; instructing automatic collection and storage of those values expands scope beyond merely managing tasks and can lead to unintended persistence of secrets. The doc also directs writing to TOOLS.md but does not declare where that file lives or why full config must be stored.
Install Mechanism
No install spec — instruction-only with an included Python script; nothing is downloaded from external URLs during install. This is the lower-risk model for skills.
!
Credentials
Only QAS_BASE_URL and QAS_TOKEN are required which fits the service. However the instructions to extract and persist configuration (including API token) into TOOLS.md is disproportionate: it elevates local secret storage and retention without justification or safeguards. The skill does not declare TOOLS.md as a required config path nor describe protection of stored secrets.
!
Persistence & Privilege
The skill asks for persistent recording of user habits and 'Actual configuration values' into a TOOLS.md file (persistence to disk). That creates a lasting artifact containing potentially sensitive data (api_token, crontab, tasklist) even though the skill metadata does not declare such persistent config paths. always:false mitigates forced global inclusion, but the write/persist instruction itself is concerning.
What to consider before installing
This skill appears to be a legitimate client for a Quark Auto-Save API, but the SKILL.md asks the agent to fetch full configuration (GET /data) and write 'Actual configuration values' — including API tokens returned by the server — into a TOOLS.md file. Before installing, consider: 1) Verify the upstream repository (https://github.com/Cp0204/quark-auto-save) and confirm what /data returns and whether it includes sensitive tokens. 2) Ask where TOOLS.md will be created (path) and avoid allowing the skill to write secrets there; if you must persist habits, store only non-sensitive metadata and redact tokens. 3) Limit QAS_TOKEN scope or use an ephemeral/revocable token. 4) Review the included scripts/qas_client.py (it uses token in URL) and run it in an isolated environment/container if possible. 5) Be cautious about using the delete or run endpoints — they can remove or execute tasks; require user confirmation. If you cannot confirm safe handling of TOOLS.md and token persistence, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.8.6
Download zip
latestvk974b4yfq9bwtta1g36br8q53s835hjz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💾 Clawdis
Any bincurl, python3
EnvQAS_BASE_URL, QAS_TOKEN
Primary envQAS_TOKEN

SKILL.md

quark-auto-save

Manage quark-auto-save(QAS, 夸克自动转存, 夸克转存, 夸克订阅) tasks via API.

When user send message like https://pan.quark.cn/s/***, get detail, add a QAS task.

WIKI:

⚠️ Prerequisites

Env:

Actual configuration values are recorded in TOOLS.md, Do not modify SKILL.md

First Configuration: Analyze User Habits

After the user sets the token, the following analysis must be performed and recorded in TOOLS.md:

  1. Get Current Configuration:

    GET /data?token={QAS_TOKEN}

  2. Analyze Saving Habits:

    • Extract savepath directory patterns from existing tasks (e.g., /video/tv/, /video/anime/, /video/movie/)
    • Understand naming pattern preferences from pattern replace magic_regex

  3. Record to TOOLS.md:

    ### quark-auto-save habits
- TV Series Directory: /video/tv/{name}
- Anime Directory: /video/anime/{name}
- Movie Directory: /video/movie/{name}
- Naming Pattern: $TV_MAGIC

Python Client (Recommended)

If Python is available, prioritize using Python for execution A Python wrapper script is available at {baseDir}/scripts/qas_client.py.

# Set environment
export QAS_BASE_URL=
export QAS_TOKEN=

# Commands
python {baseDir}/scripts/qas_client.py data                   # Get all config & tasks
python {baseDir}/scripts/qas_client.py search "query"         # Search resources
python {baseDir}/scripts/qas_client.py search "query" -d      # Deep search
python {baseDir}/scripts/qas_client.py detail "<shareurl>"    # Get share detail
python {baseDir}/scripts/qas_client.py add task.json          # Add task
python {baseDir}/scripts/qas_client.py run                    # Run all tasks
python {baseDir}/scripts/qas_client.py run "TaskName"         # Run specific task
python {baseDir}/scripts/qas_client.py savepath "/video/tv"   # Check savepath

⚠️ Important: Token Location

Token MUST be in URL query parameter, NOT in request body!

  • ✅ Correct: GET /data?token=xxx or POST /api/add_task?token=xxx
  • ❌ Wrong: POST /api/add_task with {"token": "xxx"} in body (server ignores it)

API

All APIs require ?token=xxx query parameter. Example: $QAS_BASE_URL/$ENDPOINT?token=xxx

EndpointMethodPurpose
/dataGETGet all config, tasks, and API token
/updatePOSTUpdate config (including add/delete/modify tasks via tasklist)
/api/add_taskPOSTAdd new task
/task_suggestionsGETSearch resources ?q=keyword&d=1 (d=1 for deep search)
/get_share_detailPOSTGet share details, file list, and subdirs
/get_savepath_detailGETGet savepath file list ?path=/video/tv/xxx or ?fid=xxx
/delete_filePOSTDelete file by fid (dangerous behavior, requires confirmation)
/run_script_nowPOSTRun task manually (supports SSE streaming output)
/loginGET/POSTWebUI login
/logoutGETLogout

Task Schema

{
  "taskname": "Earth",
  "shareurl": "https://pan.quark.cn/s/xxx#/list/share/fid",
  "savepath": "/video/tv/Earth",
  "pattern": "$TV_MAGIC",
  "replace": "",
  "update_subdir": "",
  "ignore_extension": false,
  "runweek": [1,2,3,4,5,6,7],
  "addition": {}
}

Task Fields

FieldRequiredDescription
tasknameYesStandard media name, no season info (e.g., "Black Mirror" not "Black Mirror S03")
shareurlYesQuark share URL
savepathYesSave directory in Quark cloud drive
patternNoRegex or magic pattern for rename
replaceNoReplacement pattern
update_subdirNoUpdate pattern for subdirectories
ignore_extensionNoIgnore file extension when checking duplicates
runweekNoWeek of run, []=disable task
additionNo(Auto gen) Plugin config
shareurl_banNo(Auto gen) Have key mean bad shareurl, value is reason

savepath Rules

(Example, based on user habits)

  • /video/tv/{name} for TV series
  • /video/anime/{name} for anime
  • /video/movie/{name} for movies

shareurl Rules

Format

  • https://pan.quark.cn/s/{abc123}
  • https://pan.quark.cn/s/{abc123}#/list/share/{fid}

Priority for selecting subdirectories:

  1. Select subdirectories containing video files (mp4, mkv, avi, etc.)
  2. Prioritize directories with higher resolution: 4K > 1080P > 720P > Others
  3. Prioritize directories with embedded/internal subtitles
  4. Avoid selecting non-main content directories such as trailers, extras, etc.

Getting subdir:

POST /get_share_detail
{"shareurl": "https://pan.quark.cn/s/{abc123}#/list/share/{fid}", "task": {...}}

Returns file_list structure containing all subdir and files.

Pattern & Rename

patternreplaceExample
.*Save all files
\.(mp4|mkv)$Save all .mp4 .mkv files
^【AD】NAME(\d+)\.mp4\1.\2【AD】NAME01.mp4 → 01.mp4
^(\d+)\.mp4S02E\1.mp401.mp4 → S02E01.mp4
^(\d+)\.mp4{TASKNAME}.S02E\1.mp401.mp4 → taskname.S02E01.mp4
$TVUse MagicRegex (User Custom)

Magic Variables

Can be used in task.replace

VariableDescriptionExample
{TASKNAME}taskname from taskEarth
{II}Index number, auto incremented, padding with zeros01 02 001 002
{EXT}File extension, extracted from filenametxt mp4 jpg
{DATE}Date, extracted from filename, formatted as YYYYMMDD20231026
{YEAR}Year, extracted from filename1874 2025
{S}Season number, extracted from filename01 02
{SXX}Season string with S prefix, or S01 if not foundS01 S02
{E}Episode number, extracted from filename1 01 123
{PART}"上/中/下" or "一/二/三/...十" part, or empty if not found

Workflow: Add New Task

  1. Search for the media:

    GET /task_suggestions?q={name}&d=1&token={QAS_TOKEN}

  2. Get share detail to see subdirs and files:

    POST /get_share_detail?token={QAS_TOKEN}
{"shareurl": "https://pan.quark.cn/s/xxx"}

  3. Select subdir: Find folder with video files, prefer highest quality (4k > 1080p > 720p)

  4. Verify savepath exists:

    GET /get_savepath_detail?path=/video/tv/{name}&token={QAS_TOKEN}

  5. Create task:

    POST /api/add_task?token={QAS_TOKEN}
{
  "taskname": "Black Mirror",
  "shareurl": "https://pan.quark.cn/s/xxx#/list/share/fid",
  "savepath": "/video/tv/Black Mirror",
  "pattern": "$TV_MAGIC",
  "addition": {"emby": {"try_match": true}, "alist_strm_gen": {"auto_gen": true}}
}

Workflow: Check for Invalid Tasks

Each time the task list is retrieved, check for the shareurl_ban key:

  1. Get Task List:

    GET /data?token={QAS_TOKEN}

  2. Check for Invalid Tasks:

    tasks = data.get('tasklist', [])
invalid_tasks = [t for t in tasks if 'shareurl_ban' in t]

  3. Notify User:

    • Inform the user which tasks are invalid and why
    • Ask if they need replacement

  4. Replace Invalid Tasks:

    • Replace the shareurl value of invalid tasks, keeping other values unchanged
    • Remove the shareurl_ban key
    • Use /update to update the tasks

Workflow: Delete Task

Tasks cannot be deleted directly. Use /update to replace the entire tasklist:

  1. Get current tasks:

    GET /data?token={QAS_TOKEN}

  2. Update with filtered tasklist (remove the task you want to delete):

    POST /update?token={QAS_TOKEN}
{"tasklist": [{"taskname": "Task to keep", ...}]}

Workflow: Run Task Manually

Returns SSE stream (text/event-stream) with script output, not JSON.

# Run specific task
curl -X POST "$QAS_BASE_URL/run_script_now?token=$QAS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"tasklist": [{"taskname": "Black Mirror", ...}]}'

# Run all tasks
curl -X POST "$QAS_BASE_URL/run_script_now?token=$QAS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{}'

Output format:

data: ===============程序开始===============
data: ⏰ 执行时间: 2026-03-18 14:38:34
data: ...

Example Commands

# Get all config and tasks
curl "$QAS_BASE_URL/data?token=$QAS_TOKEN"

# Search for a movie
curl "$QAS_BASE_URL/task_suggestions?q=dune%20part%20two&d=1&token=$QAS_TOKEN"

# Get share detail with preview (magic rename preview)
curl -X POST "$QAS_BASE_URL/get_share_detail?token=$QAS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"shareurl": "https://pan.quark.cn/s/xxx", "task": {"taskname": "Dune", "savepath": "/video/movie/Dune", "pattern": "$TV_MAGIC", "update_subdir": "", "ignore_extension": false}}'

# Check savepath contents
curl "$QAS_BASE_URL/get_savepath_detail?path=/video/tv/Black%20Mirror&token=$QAS_TOKEN"

# Delete a file
curl -X POST "$QAS_BASE_URL/delete_file?token=$QAS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"fid": "5f9xxxxxxxxxxxxx"}'

Config Fields

The /data endpoint returns these config sections:

SectionDescription
source.netNetwork search config
source.cloudsaverCloudSaver config
source.pansouPanSou search config
crontabCron schedule (e.g., "0 8,18,20 * * *")
magic_regexCustom magic rename patterns
pluginsPlugin configurations
tasklistArray of all tasks
api_tokenCurrent API token

Error Handling

  • {"success": false, "message": ""} - Token invalid or not provided
  • {"success": false, "data": {"error": "..."}} - API returned an error
  • Check response success field for operation status

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…