ClawHub

Drive Tools

v0.0.3

Drive Tools (云盘工具). A cloud drive CLI tool supporting SMB, WebDAV, and FTP protocols, providing file listing, uploading, downloading, and remote management f...

1· 289·0 current·0 all-time
by@smiletm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the packaged files: scripts implement SMB, FTP and WebDAV clients and the config.json templates match those protocols. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
SKILL.md instructs the agent to guide users to produce and save drive credentials into skills/drive-tools/config.json and to run connection tests. This is within scope for a drive management tool, but it means the agent will handle users' plaintext credentials and will be asked to write them to disk. The skill also instructs use of a whitelist downloads directory (good) but relies on the agent to enforce that.
Install Mechanism
No install spec; code is included in the skill bundle. Nothing is downloaded from external or untrusted URLs during install.
Credentials
The skill declares no required environment variables, which aligns with its function. However, it requires users to provide protocol credentials (user/password/host) that will be stored in config.json in plaintext inside the skill folder — this is expected for such a tool but is a sensitive operation and should be treated accordingly (use least-privilege accounts, app-specific passwords, and limit base_path).
Persistence & Privilege
always:false and no unusual privileges are requested. The skill will store its own config file and run scripts when invoked, which is normal and scoped to the skill.
Assessment
This skill appears coherent for managing SMB/FTP/WebDAV drives, but take these precautions before installing or using it: - Understand that you will be asked to enter drive usernames/passwords which the skill stores in plaintext at skills/drive-tools/config.json — prefer app-specific or limited-access accounts and avoid reusing high-privilege credentials. - Review the config.json and scripts yourself; the FTP TLS context in the code disables certificate verification (context.verify_mode = CERT_NONE), which can allow man-in-the-middle attacks. If you care about TLS authenticity, modify the code to validate certs. - Keep base path (path) restricted in config.json to limit the skill's access scope, and use the recommended whitelisted downloads directory (e.g., ~/.openclaw/media/downloads) so files the skill writes are constrained. - Ensure the runtime environment has the required Python packages (requests, pysmb, ftplib standard library, etc.) and that you trust network connectivity to the configured servers. - If you are not comfortable storing credentials on disk, do not add them or consider encrypting the config file or using ephemeral credentials. Remove the skill when not needed. If you want, I can point out the exact lines where TLS verification is disabled and suggest code changes to force certificate validation and safer credential handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk972h4gc59zsj775zbt5c18jwn839dfa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments