Pywayne Cross Comm
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad OSS credentials are used, transferred files could be uploaded to or retrieved from a cloud bucket beyond the intended scope.
The skill documents Aliyun OSS access credentials for file/image/folder transfer. This is purpose-aligned, but those credentials can grant access to a cloud storage bucket.
OSS_ACCESS_KEY_ID=your-access-key OSS_ACCESS_KEY_SECRET=your-access-secret
Use a dedicated, least-privilege OSS key and bucket for this skill, avoid sharing secrets in chat or logs, and rotate the key if exposed.
A mistaken or overly broad file/folder path could share more local data than intended.
The documented API can upload local files or folders to OSS as part of messaging. This is central to the stated purpose, but local path selection should remain explicit.
# File (auto uploads to OSS)
await client.send_message("/path/to/file.txt", CommMsgType.FILE)
...
# Folder (auto uploads to OSS)
await client.send_message("/path/to/folder", CommMsgType.FOLDER)Only send specific user-approved files or folders, and avoid using broad paths such as home directories or project roots unless that is intended.
If exposed on an untrusted network, unintended clients may be able to connect or exchange messages depending on the underlying library configuration.
The examples show a WebSocket server listening on all interfaces and clients identified by client IDs. Network messaging is the core purpose, but the setup examples do not show authentication or transport restrictions.
server = CrossCommService(role='server', ip='0.0.0.0', port=9898) ... client_id='my_client', # Optional: auto-generated if omitted
Bind to localhost or a trusted interface when possible, use firewall rules or authentication/TLS if supported, and exchange files only with trusted clients.
Users must trust the external package that implements the documented behavior.
The skill depends on an external Python module while the supplied artifact set contains only documentation and no install specification or package source.
from pywayne.cross_comm import CrossCommService, CommMsgType
Install the pywayne package only from a trusted source and review its package metadata or source before using it in sensitive environments.