ClawHub

百度网盘

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Baidu Netdisk file-management skill with sensitive but purpose-aligned cloud, credential, install, and backup behavior.

Install only if you are comfortable giving the bdpan CLI access to your Baidu Netdisk account. Review prompts before approving uploads, deletes, shares, transfers, memory backup/restore, uninstall, or skill updates, and avoid using it on shared or untrusted machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The guide makes a security assurance that tokens are 'encrypted' while only documenting storage in a local JSON config path and providing no substantiation. Unsupported claims about credential protection can cause users and downstream agents to handle tokens less cautiously, increasing the risk of credential theft if the file is actually plaintext or weakly protected.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented uninstall capability removes local authentication data, configuration, and the bdpan binary from the user's system. That behavior is outside ordinary Baidu Netdisk file operations and gives the skill authority to modify local state unrelated to the user's cloud files, increasing the blast radius if triggered improperly or socially engineered.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The self-update mechanism downloads and overwrites skill files from the network, which is a supply-chain and code-modification capability rather than a Netdisk file-management function. Even with documented domain allowlists and SHA256 checks, exposing agent-triggerable self-modification materially increases risk because compromise of the update channel, repo, or confirmation flow could change future agent behavior.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The confirmation text tells users the update 'will not modify ... local files,' but the script immediately overwrites files in the skill directory via unzip and writes the VERSION file. This is a security-relevant misrepresentation because it can mislead users into approving code changes under a false understanding of the scope of modification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The transfer examples instruct the agent to save shared-link content directly into the user's Baidu drive without an explicit warning or confirmation that this is a write operation to remote storage. That can cause unintended persistence of untrusted or wrong content in the user's cloud account, especially when users may interpret transfer as a read-only preview-like action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The move, copy, rename, and mkdir examples perform remote state-changing operations without showing any warning, preview, or confirmation. In an agent setting, this raises the risk of accidental file reorganization, duplication, or renaming in the user's cloud storage from ambiguous prompts or model misunderstanding.

Missing User Warnings

Low
Confidence
92% confidence
Finding
On authorization-code format errors, the script prints the user-supplied AUTH_CODE back to the terminal. Even though the code is short-lived, echoing secrets increases the chance of shoulder-surfing, terminal scrollback retention, session recording leakage, or accidental capture in logs/screenshots. In a high-risk Baidu Netdisk login flow, exposing any credential-like token is unnecessary and weakens otherwise careful handling of the code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal