Skillv0.1.5

ClawScan security

Aliyun Drive Uploader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 9:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (upload/manage Aliyun Drive) but has several implementation issues that increase risk (missing declared env requirement, passing secret on the command line, unsafe command construction, and hard-coded venv paths).
Guidance: This skill appears to implement an Aliyun Drive uploader but has some risky implementation details you should consider before installing: - The skill expects and will persist an ALIYUN_DRIVE_REFRESH_TOKEN in a .env file (the registry metadata does not declare this). Only provide a refresh token you are willing to store in the agent working directory. - The Node launcher passes the refresh token on the command line when calling Python; that makes the token visible to other local processes/users via process listings. Prefer passing secrets via environment variables or stdin instead. - Arguments are concatenated into a shell command (cmd.join(' ')) without escaping; a crafted file path or input could cause shell injection. Do not run this on multi-user or untrusted machines unless the code is patched to spawn the process safely with argument arrays. - The Python script forces a specific venv site-packages path (/tmp/venv/lib/python3.8) and mutates SDK internals (injecting access_token into globals). These are fragile and could behave unexpectedly. Recommendations: - If you need this functionality, ask the author to: (1) declare the required credential in metadata, (2) stop passing the token on the command line (use environment or stdin), (3) use child_process spawn with an args array or proper escaping to eliminate command injection risk, and (4) avoid hard-coded sys.path manipulation or detect the venv path dynamically. - Only use this skill in a trusted, isolated environment and do not provide highly-privileged or shared refresh tokens until these issues are fixed.

Review Dimensions

Purpose & Capability: noteName/description align with the code: the JS entry forwards actions to a Python wrapper that uses the aliyunpan SDK. However the registry metadata declares no required credentials while SKILL.md and the code require an ALIYUN_DRIVE_REFRESH_TOKEN stored in a .env file — this metadata omission is an inconsistency that should have been declared.
Instruction Scope: concernSKILL.md instructs creating a /tmp venv and installing aliyunpan/requests and instructs the user to place ALIYUN_DRIVE_REFRESH_TOKEN in .env; the Python script will read and overwrite that .env to save refreshed tokens. These behaviors are within the uploader's purpose but are sensitive: the skill tells users to extract refresh_token from browser Local Storage (a sensitive operation), and the implementation exposes the token via a command-line argument. The code also hard-codes a venv site-packages path (/tmp/venv/lib/python3.8) which may fail or produce unexpected behavior on systems with different Python versions.
Install Mechanism: noteThere is no automated install spec (instruction-only). SKILL.md recommends pip installing 'aliyunpan' and 'requests' into /tmp/venv (PyPI packages) which is a reasonable source, but the package usage relies on a fragile, hard-coded venv path that the Python script prepends to sys.path.
Credentials: concernThe skill needs a single sensitive credential (refresh_token) to operate, which is proportionate. However the skill manifest did not declare this required env var. More importantly, the JS launcher passes the refresh token on the command line when invoking the Python script, making the token visible in process listings to other local users. The skill also writes back a refreshed token into the .env file, which is expected but changes user files and should be called out.
Persistence & Privilege: okThe skill does not request permanent 'always' inclusion or modify other skills/system-wide settings. It persists only the refresh token into the .env file in the working directory (expected for the described token-refresh behavior).