123pan upload and share

Security checks across malware telemetry and agentic risk

Overview

The skill mainly uploads files to 123pan as advertised, but users should review its credential handling, rclone/WebDAV scope, and inconsistent link-privacy behavior before installing.

Install only if you intend to upload selected local files to 123pan. Use a dedicated 123pan-only rclone config via RCLONE_CONFIG, verify RCLONE_BIN points to a trusted rclone binary, avoid storing real tokens in config.json, and check whether the generated link exposes your 123pan user ID before sharing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: from pathlib import Path # 检测 rclone 路径：环境变量 > 系统 PATH > 默认本地路径 RCLONE_BIN = os.environ.get("RCLONE_BIN") or subprocess.run(["which", "rclone"], capture_output=True, text=True).stdout.strip() or os.path.expanduser("~/.openclaw/rclone-v1.73.2-linux-amd64/rclone") # 支持隔离的 rclone 配置（避免读取 ~/.config/rclone/rclone.conf） RCLONE_CONFIG = os.environ.get("RCLONE_CONFIG")
Confidence: 89% confidence
Finding: RCLONE_BIN = os.environ.get("RCLONE_BIN") or subprocess.run(["which", "rclone"], capture_output=True, text=True).stdout.strip() or os.path.expanduser("~/.openclaw/rclone-v1.73.2-linux-amd64/rclone")

Tainted flow: 'cmd' from os.environ.get (line 122, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: ] try: process = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
Confidence: 92% confidence
Finding: process = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, bufsize=1, universal_newli

Tainted flow: 'cmd' from os.environ.get (line 122, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: # Get remote file info using rclone ls cmd = [RCLONE_BIN, 'lsjson', remote_file] result = subprocess.run(cmd, capture_output=True, text=True, env=get_rclone_env()) if result.returncode == 0: import json
Confidence: 91% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, env=get_rclone_env())

Tainted flow: 'cmd' from os.environ.get (line 70, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: ] try: process = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
Confidence: 91% confidence
Finding: process = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, bufsize=1, universal_newli

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill uses sensitive capabilities (environment variables, network access, and shell/rclone invocation) but does not declare permissions, which undermines transparency and informed consent. In a file-upload skill, these capabilities can access local credentials and send data off-host, so hiding or omitting them increases the risk of unintended data exposure or credential misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented description says the skill is for small-file uploads under 1GB, but the content reveals broader behavior: WebDAV uploads, rclone subprocess use, account listing/search, verification polling, and use of additional credentials/config files. This mismatch is dangerous because users and policy systems may approve the skill for a narrow purpose while it actually has wider access to cloud account contents and local credential material.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README instructs users to upload local files to a third-party cloud service without an explicit warning that file contents leave the local environment and become subject to 123pan's storage, access controls, and retention policies. In an agent skill context, this can lead to unintended exfiltration of sensitive local data if users or downstream automation invoke the skill without understanding the privacy implications.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script uploads arbitrary local file contents to a third-party cloud service but provides no explicit user-facing notice about data transmission, retention, or privacy implications. In an agent skill context, this can cause users to disclose sensitive files unintentionally, especially when the tool is invoked automatically or opaquely.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The code silently uses an access token from environment variables or config.json for authenticated requests without making credential usage explicit to the user. In an agent setting, hidden credential use can surprise users, cause uploads under the wrong account, and reduce auditability of actions taken on their behalf.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal