Baidu Pan Upload
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—upload user-selected files to Baidu Pan—but it needs Baidu credentials, runs a local Python/curl uploader, and writes a local resume-state file.
Install/use this only if you intend to upload the selected local files to Baidu Pan. Verify the full script, protect the .env credential file, confirm the remote path before running, and use --overwrite only when replacing remote files is intentional.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less independent provenance information about who maintains the uploader.
The skill has limited provenance information. Because the code is included and the behavior is disclosed, this is a transparency note rather than a concern.
Source: unknown; Homepage: none
Inspect the included script before running it, especially because it handles cloud credentials and local files.
Using the skill will run local Python code and curl, and will send the chosen file chunks to Baidu Pan.
The helper runs curl locally to upload chunks. This is central to the skill’s purpose and uses argument arrays rather than shell strings, but it is still local command execution.
result = subprocess.run(['curl', '-s', '-X', 'POST', full_url, ... '-F', f'file=@{chunk_filepath}', ...])Run it only in an environment where Python and curl are trusted, and confirm the local file path before invoking the upload.
A mistaken remote path or overwrite flag could change or replace files in the connected Baidu Pan account.
The skill can mutate Baidu Pan storage, including overwriting same-name files when the user supplies --overwrite. This is disclosed and purpose-aligned.
| --overwrite | 覆盖同名文件(默认不覆盖) |
Double-check the remote directory and avoid --overwrite unless replacement is intended.
Anyone who can read the .env file or token may be able to act on the connected Baidu Pan account within the token’s permissions.
The skill requires Baidu Pan API credentials to authorize uploads. This is expected for the integration, but it grants access to the linked account.
已有百度网盘开放平台授权(access_token有效),.env文件含AccessToken、AppKey、SecretKey。
Protect the .env file, use the least-privileged Baidu app/token available, and revoke or rotate tokens if they are exposed.
The source directory may contain temporary upload metadata revealing file paths, remote paths, and upload identifiers if an upload is interrupted.
The uploader persists resume metadata beside the source file. It does not appear to store credentials, but it records local and remote file information and is reused for resume decisions.
STATE_FILENAME = '.upload_state.json' ... 'local_file': os.path.abspath(local_file), ... 'remote_path': remote_path, 'upload_id': upload_id
Keep the source directory private and delete .upload_state.json if you want to reset or remove resume metadata.