ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baidu Pan Upload

v1.1.0

百度网盘文件上传,支持分片上传、断点续传和进度监控。触发词:百度网盘上传、baidu pan upload、上传文件到网盘、upload to baidu pan、断点续传。适用场景:(1)上传本地文件到百度网盘指定目录 (2)大文件自动分片上传 (>4MB) (3)中断后断点续传 (4)自动创建远程目录。

0· 74·0 current·0 all-time
bysuperStupidBear@ugpoor

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ugpoor/baidu-pan-upload-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Baidu Pan Upload" (ugpoor/baidu-pan-upload-skill) from ClawHub.
Skill page: https://clawhub.ai/ugpoor/baidu-pan-upload-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install baidu-pan-upload-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install baidu-pan-upload-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Baidu Pan uploader with chunking, resume, progress) matches the included script and SKILL.md. However the registry metadata declares no required env vars or binaries while SKILL.md and the script clearly require a .env with AppKey/AccessToken and the presence of curl/Python — this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to uploading a specified local file to a specified remote path and require a .env file path. The agent/script reads the provided local file, writes a .upload_state.json alongside it, and calls Baidu APIs. There is no instruction to read unrelated system files or exfiltrate data to third-party endpoints.
Install Mechanism
No install spec is present (instruction-only plus a Python script). That is low-risk from an installation perspective — nothing is downloaded at install time.
!
Credentials
The script requires sensitive credentials (access_token, AppKey) provided via a .env file but the skill registry does not declare these required env vars. Implementation detail: the script invokes curl with the access_token included in the URL passed as a subprocess argument, which may expose the token to other local users via process listings (ps). Saving file MD5 and paths in .upload_state.json is expected for resume but is local persistent data the user should be aware of.
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills. It writes a local state file next to the uploaded file (expected behavior).
What to consider before installing
This skill appears to implement the advertised Baidu Netdisk upload features, but review and caution are advised before use: (1) The registry metadata fails to declare the required credentials (AppKey/access_token) and the SKILL.md expects a .env path — confirm you provide only a valid token and store the .env securely. (2) The script calls curl with the access_token in the full URL passed to subprocess.run; on multi-user systems this can leak the token via process listings (ps). Consider running in a single-user or isolated environment or modify the script to avoid embedding secrets in process arguments (use HTTP headers or a library-based multipart upload). (3) The Python code contains sloppy bugs (e.g., precreate uses md5_of_file(remote_path) instead of the source file, an undefined variable 'res' appears later) — run tests with small non-sensitive files first and consider fixing these bugs or asking the author for a corrected release. (4) The script writes .upload_state.json alongside source files; ensure correct file permissions and delete it if it contains sensitive metadata you don't want to keep. If you are not comfortable auditing/fixing the script yourself, prefer an official or well-reviewed client.

Like a lobster shell, security has layers — review code before you run it.

latestvk970cqzey62wt03d8cpxb4p7fs85dbeb
74downloads
0stars
2versions
Updated 4d ago
v1.1.0
MIT-0
superStupidBear@ugpoor
latest
Download

百度网盘文件上传

前提

已有百度网盘开放平台授权(access_token有效),.env文件含AccessToken、AppKey、SecretKey。

先用 baidu-pan-per-auth-skill 完成授权获取token。

上传文件

python3 scripts/upload.py <local_file> <remote_dir> <env_path> [--overwrite]

参数

参数说明
local_file本地文件路径
remote_dir网盘远程目录(如 /docker镜像/备份
env_path.env文件路径(含AccessToken等凭据)
--overwrite覆盖同名文件(默认不覆盖)

上传流程

所有文件统一走 precreate → superfile2(tmpfile) × N → create 流程:

  • ≤4MB → 1片快速上传
  • >4MB → 自动分片(每片4MB),计算每片MD5校验

断点续传

上传中断后,重新运行相同命令即可自动续传:

  1. 上传状态自动保存在源文件同目录下的 .upload_state.json
  2. 重启时检测:文件MD5未变 → 跳过已上传分片 → 从断点继续
  3. Ctrl+C 安全中断,状态自动保存
  4. 上传完成后自动删除状态文件

进度监控

大文件上传时实时显示:

  [████████████░░░░░░░░] 60.0% | 1.1GB/1.9GB | 3.2MB/s | ETA 4m12s

示例

# 上传单个文件
python3 scripts/upload.py /tmp/report.pdf "/文档" /path/to/.env

# 上传大文件(自动分片+进度监控+断点续传)
python3 scripts/upload.py /backup/data.zip "/备份" /path/to/.env

# 覆盖已有文件
python3 scripts/upload.py /tmp/config.json "/配置" /path/to/.env --overwrite

# 中断后续传(重新运行相同命令即可)
python3 scripts/upload.py /backup/data.zip "/备份" /path/to/.env

关键参数

参数说明
分片大小4MB百度网盘API限制
上传域名d.pcs.baidu.com分片上传专用域名
重试次数3每个分片失败后重试
远程路径格式/开头/docker镜像
状态文件.upload_state.json保存在源文件同目录

故障排查

错误原因解决
errno: 2路径格式错误确保以 / 开头
error_code: 31023token过期或uploadid过期baidu-pan-per-auth-skill 刷新token
error_code: 31064文件已存在--overwrite 覆盖
SSL/超时网络波动自动重试3次
上传中断Ctrl+C或网络断开重新运行相同命令,自动断点续传
续传失败源文件已变更删除 .upload_state.json 重新上传

依赖

  • curl(系统自带)
  • Python 3.7+
  • 有效的百度网盘access_token

Comments

Loading comments...