Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description promises complete automation: 'I save to my cloud and return a new share link.' However the package declares no credentials, no config paths, and no install or backend endpoints. The included script only detects link types and prints whether login/cookies are needed; it does not implement uploading or returning a hosted share link. This is a substantive mismatch between claimed capability and actual implementation.
Instruction Scope
SKILL.md instructs users to merely send a share link and promises transfer. The script, however, outputs that some providers 'need Cookie authorization' and suggests asking the user for cookies. That means the runtime flow could ask for highly sensitive data (cookies) not listed in the skill's requirements. The SKILL.md is vague about how files are obtained/stored and gives broad permission ('完全自动化') without specifying data flows or destinations.
Install Mechanism
There is no install spec (instruction-only), which reduces immediate risk from hidden installers. The Python script references using yt-dlp for media parsing in comments/strings but does not include installation steps or vendor-hosted binaries. If the skill actually attempted automated downloads, it would need external binaries (yt-dlp), but those are not declared.
Credentials
No environment variables or primary credentials are declared, yet the script explicitly states it may require users' cloud cookies to save files on behalf of users. Requesting cookies (or other credentials) is sensitive and should be declared; the absence of any declared credential requirement is disproportionate and opaque.
Persistence & Privilege
The skill is not marked 'always' and does not request elevated platform privileges. It does not modify system or other skills' config in the provided files. Autonomous invocation is allowed (the platform default) but there is no evidence of privileged persistence.
What to consider before installing
This skill's promises (auto-transfer and providing a new share link hosted by the skill) are not supported by the code or metadata. Before installing or using it: do not send cookies or account credentials to the skill; ask the author to explain exactly where files are uploaded (what backend/URL/account), how long they are retained, and how share links are generated; request the full server-side code or hosting endpoint so you can verify no exfiltration occurs; if asked to provide cookies, treat that as highly sensitive—prefer using a disposable account or avoiding the skill. If you must test, run the logic locally in an isolated environment and avoid sharing private links or credentials.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Cloud Share Saver ☁️💾
你发链接,我转存,完全自动化!
用户要做的
只需发分享链接给我!
发给我: https://pan.baidu.com/s/xxxxx
或者: https://www.alipan.com/s/xxxxx
我自动完成:
- ✅ 识别链接类型
- ✅ 尝试获取文件
- ✅ 转存到我的网盘
- 🔗 返回我的分享链接
完全没有操作
用户只需要发链接,其他全部自动!
支持
| 类型 | 支持 | 说明 |
|---|---|---|
| 百度网盘 | ✅ | 发链接即可 |
| 阿里云盘 | ✅ | 发链接即可 |
| 夸克网盘 | ✅ | 发链接即可 |
| 115网盘 | ✅ | 发链接即可 |
| B站视频 | ✅ | 发链接即可 |
| 抖音/快手 | ✅ | 发链接即可 |
返回什么
我会把文件存到我的网盘,然后给你一个新的分享链接。
现在就发一个网盘链接给我试试!
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…