Weiyun Skills
ReviewAudited by ClawScan on May 2, 2026.
Overview
This appears to be a legitimate Tencent Weiyun cloud-storage manager, but it needs password-equivalent session cookies and can modify, delete, or share cloud files.
Install this only if you want the agent/tool to manage your Weiyun account. Treat cookies.json like a password, use a non-primary account if possible, verify every upload/delete/share target, avoid blanket --yes approvals, and remove cookies.json after use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains cookies.json could access or change the user's Weiyun files until the session expires or is revoked.
The skill openly requires and stores session cookies that can act as the user across the entire Weiyun account.
weiyun-session-cookies ... kind: password-equivalent ... Full access to the authenticated user's Tencent Weiyun account, including listing, uploading, downloading, modifying, deleting and publicly sharing any file
Use a dedicated Weiyun account if possible, keep cookies.json private, do not upload or log it, and delete it when finished.
Approving the wrong command could delete, overwrite, move, or publicly expose cloud files.
The skill can perform high-impact cloud-account changes and public sharing, but the artifacts disclose this and describe confirmation safeguards.
mutating: upload_file ... delete_file ... clear_recycle_bin ... exposure: create_share ... Every handler that mutates the user's Weiyun account or exposes content externally routes through the same `_confirm()` gate
Approve only specific named paths, avoid broad folder/root operations unless intended, and do not allow automatic or blanket --yes confirmations.