Skillv1.0.1

ClawScan security

115 Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:48 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match its stated purpose (managing 115 网盘), but there are several inconsistencies and operational risks (local cookie persistence, heavy native dependency like puppeteer with no install spec, and broad allowed-tools that could read/write files) that warrant caution before installing.
Guidance: This package mostly does what it claims (managing a 115 account), but review these before installing: 1. Cookie storage and protection: ask where cookie files are saved and whether cookie-store encrypts them. Cookies provide full account access; if unencrypted on disk they are sensitive. 2. Puppeteer and dependencies: the code references puppeteer (headless Chromium). Confirm your runtime provides puppeteer/Chromium or understand that installing it may pull large native binaries. Installing/allowing puppeteer in a shared environment can increase risk. 3. Allowed tools vs invocation policy: SKILL.md lists allowed-tools including Bash/Read/Glob. Ensure the platform enforces tight sandboxing so the skill cannot run arbitrary shell commands or read unrelated files. Also clarify which disable-model-invocation setting the platform honors (SKILL.md vs registry metadata). If autonomous invocation is possible, the saved cookies increase the impact. 4. History/export behavior: the skill keeps operation history and supports export. Verify exports do not include raw cookies, SE/UID values, or other secrets. 5. Principle of least privilege: only install if you trust the maintainer. If you proceed, run the skill in an isolated environment (container) or review cookie-store and session persistence code (file paths, encryption, permissions). If you want, I can: - Summarize the cookie-store implementation (showing where/how it writes data) if you provide that file content; or - Highlight all places where the code writes to disk, launches subprocesses, or makes network requests to non-115 domains.

Review Dimensions

Purpose & Capability: okName/description describe 115 网盘 management and the repository contains modules for QR login, HTTP client, file browsing, transfer, share handling, offline download, and smart organizing — these map directly to the declared features (login, browse, search, transfer, lixian, organizer). No unrelated cloud providers or surprising external credentials are requested.
Instruction Scope: concernSKILL.md describes behavioral flow consistent with the code (generate QR, poll status, save cookies, then call Skill115Master.handle). However the skill YAML lists allowed-tools: Read, Grep, Glob, Bash — providing Bash and file-read-like tools can allow arbitrary filesystem commands beyond the explicit described actions. The README and code say sensitive items (Cookie, UID) shouldn't be leaked, but code persists cookies and the history/export features could include contextual data; neither the skill manifest nor SKILL.md declare file paths or the exact storage location/format. Also SKILL.md sets disable-model-invocation: true in the skill instructions while the registry metadata shows the platform default (disable-model-invocation: false) — this mismatch should be clarified: if the platform ignores the SKILL.md setting, autonomous invocation may be allowed.
Install Mechanism: noteNo install spec is provided, but the package includes code that requires heavy runtime dependencies (puppeteer is present in lib/auth-puppeteer.js and QRCode/axios/crypto are used). Without an install script, a runtime that executes this code must already have these native modules available; installing them often requires downloading large binaries/Chromium for puppeteer. The absence of an install section is a mismatch (code expects dependencies but no installation instructions are declared). No external download URLs or unknown release hosts were found.
Credentials: noteThe skill declares no required environment variables or external credentials, which aligns with an account-based QR login flow. It persists cookies locally (cookie-store module) to maintain session state — this is expected for a login-based skill but is sensitive. The code builds request signatures using stored cookie fields (SE) and persists cookie metadata for up to 90 days. The manifest does not document where cookie files are written or whether they are encrypted, which is important because cookie data grants account access. The allowed-tools list (Bash/Read/Glob) increases the risk that local secrets could be accessed unless constrained by the platform.
Persistence & Privilege: okThe skill stores session cookies to persist login state (normal for this type of skill). It does not request always:true nor attempt to modify other skills' configs. Note: SKILL.md sets disable-model-invocation: true (requires explicit invocation) but registry metadata indicates default model invocation may be allowed — this inconsistency should be resolved. Cookie persistence and history export are expected behaviors but broaden the blast radius if the skill runs autonomously or has access to shell tools.