Weiyun
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Weiyun cloud-drive integration, but it needs review because it can delete/share cloud files, handles tokens unsafely in command examples, auto-installs dependencies, and tells the agent to follow remote update instructions.
Install only if you trust this Weiyun integration and are comfortable granting it access to manage your cloud-drive files. Avoid passing real tokens on the command line, review any setup-installed packages, and require explicit confirmation before deletes, permanent deletes, moves, uploads, or share-link creation.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote response could influence what the agent does before using the skill, including update actions the user has not reviewed.
The skill tells the agent to follow update instructions returned by a remote service, which can make unreviewed remote text authoritative.
如果当前版本 `version` 低于最新版本 `latest`,则遵循 `instruction` 指令进行更新,或提示用户更新。
Treat remote update text as advisory only; require explicit user approval and preferably signed, pinned, or registry-verified updates before executing any update instructions.
An agent mistake or ambiguous user request could delete cloud files or directories, potentially permanently.
The skill exposes batch deletion, including permanent deletion, for the user's cloud-drive contents. The visible instructions do not require an explicit confirmation step before high-impact deletes.
`weiyun.delete` — 批量删除 ... `delete_completely` ... true-彻底删除
Require the agent to show the exact files/directories and ask for explicit confirmation before deletion, especially when `delete_completely=true`.
Private cloud files or folders could be made accessible through a share link if the agent misinterprets the request.
The skill can create external share links, including passwordless links, but the visible artifacts do not require a confirmation or privacy warning before sharing.
`weiyun.gen_share_link` — 为微云网盘中的文件或目录生成分享短链接 ... `passwd` ... 不填则创建无密码分享
Require explicit confirmation before generating share links, and warn when creating passwordless shares.
Anyone who can see local process arguments or command history may be able to recover the Weiyun token and access the user's cloud-drive account through this integration.
The documentation shows passing a high-value MCP token as a command-line argument, which can expose it through process listings, shell history, logs, or terminal recordings.
python3 scripts/upload_to_weiyun.py /path/to/file --token <mcp_token>
Prefer environment variables, secure credential storage, or interactive secret prompts; avoid documenting or using `--token` for real tokens.
The local mcporter configuration can continue to authorize Weiyun actions after setup until the token is removed or revoked.
The setup script persists the Weiyun MCP token into a home-scoped mcporter configuration. This is purpose-aligned, but it is sensitive account access that users should understand.
mcporter config add "$_WY_SERVICE_NAME" "$_WY_MCP_URL" ... --header "WyHeader=mcp_token=$token" --scope home
Clearly disclose where the token is stored, how to revoke it, and how to remove the mcporter configuration when the user no longer wants this access.
Running the setup may change the user's local environment and install code from package registries without the installation being declared up front.
The setup script can install a global npm package and an unpinned Python package even though the registry says there is no install spec and no required binaries.
npm install -g mcporter@0.8.1 ... pip3 install requests 2>/dev/null || pip install requests 2>/dev/null
Declare these dependencies in the install metadata, ask before installing, avoid global installs where possible, and pin Python dependencies.