Qq Zone Photo
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned QQ Zone photo manager, but it uses full-access QQ cookies and can change or copy photo albums, so users should handle credentials and account actions carefully.
Install and use this only if you trust the skill with your QQ Zone photo session. Use a dedicated local cookies.json, keep it private, review account-changing commands before running them, and consider pinning dependencies in an isolated virtual environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If cookies.json is exposed, another party could potentially access the user’s QQ Zone session.
The skill explicitly relies on QQ/QZone session cookies that grant broad account access. This is expected for the stated QQ Zone integration, but the credential is sensitive.
Cookie 文件包含 QQ空间完整访问权限,**请勿泄露或分享**
Keep cookies.json private, avoid committing or sharing it, restrict local file permissions where possible, and refresh/revoke the session if it may have been exposed.
An unintended command could upload the wrong photo, create an unwanted album, or download a large amount of private photo data.
The skill exposes account-changing and bulk data-copying operations. These are disclosed and aligned with photo management, but mistakes could affect the user’s QQ Zone content or local storage.
`upload` | 上传照片到相册 ... `download-album` | 下载整个相册 ... `create` | 创建新相册
Before running upload, create, or full-album download actions, verify the target album, selected files, and output directory.
A later install may use different dependency versions, which can change behavior or introduce dependency-level vulnerabilities.
Dependencies are specified with minimum versions rather than exact pinned versions, so future installs could resolve to newer package versions than those reviewed.
requests>=2.31.0 Pillow>=10.0.0 qrcode>=7.4.2 pycryptodome>=3.19.0
Prefer a locked dependency file or install in an isolated virtual environment, especially when using account cookies.