ClawHub
Back to skill
v1.0.0

AHTV PK to Xunlei

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:27 AM.

Analysis

The artifacts are coherent for finding AHTV episodes and adding them to Xunlei Cloud, with no evidence of malicious behavior, but the skill does require local script execution and access to a Xunlei cloud-drive account.

GuidanceBefore installing, be comfortable with the agent running the included Python scripts and controlling a logged-in Xunlei Cloud session to add, move, and rename episode files. Prefer narrow date ranges first, verify the Xunlei login page, and review the final summary of what was added or skipped.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Search the whole cloud drive for the exact `target_filename`... ensure the folder path `/快乐无敌大PK/2026` exists... Use 迅雷云盘's link-based add flow... move it into `/快乐无敌大PK/2026`... rename it to `target_filename`.

The workflow can create folders, add link-based cloud tasks, move files, and rename files in Xunlei Cloud. These actions are purpose-aligned and bounded to exact episode filenames and a specific folder, but they are still account-mutating operations.

User impactThe skill can add persistent files to the cloud drive and change their location or name.
RecommendationUse specific date expressions when possible, review the resolved dates before proceeding, and confirm the target folder and filenames are what you expect.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
python "{baseDir}\scripts\parse_date_expr.py" --date-expr "<date_expr>"

The skill instructs the agent to run included Python scripts locally. This is central to the resolver workflow and no privileged or unrelated command is shown, but users should recognize that local code execution is part of the skill.

User impactThe skill will run packaged Python code on the local machine to parse dates and resolve episode URLs.
RecommendationInstall only from a trusted source and review the included scripts if local code execution is a concern.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
If the user is not logged in, use `$sms-login-dom-first` to complete 迅雷云盘 login with phone number plus SMS code

The skill requires access to the user's Xunlei Cloud account through SMS login. This is expected for saving files to that account, and the artifacts do not show token logging or unrelated credential use.

User impactThe agent/browser session will be able to access the user's Xunlei Cloud account during the task.
RecommendationOnly use this skill when you intend to give the agent access to Xunlei Cloud; verify the login domain and avoid sharing SMS codes outside the legitimate login flow.