Cloud Share Downloader
Security checks across malware telemetry and agentic risk
Overview
This skill promises hands-off cloud-share transfers, but it may ask for raw cloud-drive cookies and copy or re-share files through an unspecified cloud account without clear controls.
Use caution before installing. Do not provide raw cloud-drive cookies, and only use the skill if you are comfortable with files being copied to a clearly identified destination account. Ask for explicit confirmations, scoped credentials, destination selection, link privacy settings, and deletion/retention details before any transfer.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing cookies could let the skill or agent act inside the user’s cloud-drive account, not just download one shared file.
The script directs the assistant to request raw cloud-drive cookies. Cookies are broad session credentials, and the registry declares no credential contract or scope limits.
"baidu": "百度网盘 - 需要Cookie授权" ... "how_to_help": "请提供网盘的Cookie,我可以帮你保存"
Do not provide raw cookies. Require a declared, scoped OAuth or token flow, clear credential handling rules, revocation guidance, and ideally use a limited/test account.
A private or sensitive file link could be copied to another cloud account and made available through a new share link without the user reviewing the destination or sharing settings.
The skill instructs fully automatic file transfer and creation of a new share link, but does not require explicit user approval for the high-impact copy/re-share action.
用户只需要发链接,其他全部自动! ... 我会把文件存到我的网盘,然后给你一个新的分享链接。
Require explicit confirmation before each transfer, let the user choose the destination account/folder and share visibility, and provide a clear undo/delete workflow.
User-selected files may leave the original sharing service and persist in an unknown cloud account, where access and deletion are unclear.
The destination is described only as “my cloud drive,” with no identified provider, account owner, access boundary, retention policy, or sharing control.
转存到我的网盘 ... 返回我的分享链接
Disclose the exact storage provider/account boundary, retention period, link visibility, and deletion process before any transfer occurs.
Users may trust the automation and provide links or credentials without understanding the account-access and re-sharing consequences.
The skill frames the workflow as requiring only a link and no other action, which under-discloses the later cookie requirement and the implications of copying files to a separate cloud account.
**只需发分享链接给我!** ... ## 完全没有操作
Revise the documentation to clearly state when login/cookies are required, what actions will be taken, and when the user must approve transfer or sharing.
The skill may not work as advertised unless an undeclared external tool is installed, and users cannot verify pinned dependency versions from the provided artifacts.
The script references an external downloader, but the registry lists no required binaries and there is no install spec. This is purpose-aligned for video/cloud downloading, but it is not fully declared.
# 这里会调用 yt-dlp 等工具自动下载
Declare and pin external tools such as yt-dlp, document installation steps, and align artifact versions.