ClawHub

Qianfan Usage

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Baidu Qianfan quota checker, but it stores and reuses Baidu session cookies with incomplete safeguards and unclear runtime wiring.

Install only if you are comfortable letting this skill automate Baidu login and store reusable Baidu session cookies on your machine. Treat ~/.baidu-qianfan-auth.json like a password, avoid shared systems, delete it when finished, and review the missing qianfan-usage.sh command mapping before relying on the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads persisted authentication cookies from a local file and repurposes them for API authentication without any visible consent, scope restriction, or validation. This creates a credential-handling risk because session cookies are sensitive secrets and using them directly can enable unintended account access or abuse if the script is misused or modified.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code performs an authenticated outbound request to a remote service using session cookies but provides no manifest, permission boundary, or user disclosure. In an agent-skill context, hidden authenticated network access is dangerous because it can silently act on behalf of the user's account and normalize credential reuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tool's stated purpose is quota retrieval, but it also performs full browser-driven login, handles a phone number, triggers SMS verification, and persists authenticated browser state. That expands the privilege and data-handling scope significantly, increasing the risk of misuse, accidental credential exposure, or user surprise in an automation context.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The code automatically checks a consent/agreement box as part of login flow, which changes user state and may accept terms without an explicit informed action from the user. In an agent skill, silently taking legal/consent actions is unsafe because it can bypass expected user approval boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs automatic login to a real Baidu account using a phone number read from local environment variables, but the description does not clearly warn users that it will access and interact with their account. This can lead to unintended account actions, privacy exposure, and unsafe execution by users who do not realize the skill uses stored credentials and opens an authenticated session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script loads persisted authentication cookies from a local file and automatically transmits them to a remote API, which exposes active session credentials to network requests without explicit consent or warning at runtime. In a skill context, handling stored browser-like cookies is sensitive because compromise of the file, misuse of the script, or accidental targeting changes could enable session abuse or account access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive authentication cookies are loaded from disk and then used for remote authentication without a user-facing warning, consent prompt, or obvious storage protections. This is dangerous because session cookies are equivalent to bearer credentials and their silent use can expose account access patterns or facilitate unauthorized actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently transmits cookie-derived session data to an external API to authenticate the request. In a skill setting, undisclosed transmission of account/session material is risky because users may not realize the code is acting with their existing authenticated session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script stores authentication state in a local file and reads a phone number from an environment variable without explicit notice, consent, retention policy, or permission checks. Session cookies and phone numbers are sensitive data, and silent persistence increases the chance of credential theft, reuse, or accidental disclosure on shared systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code assembles authenticated cookies and sends them in a network request to the service endpoint without explicit user-facing disclosure. While this is functionally necessary for authenticated quota retrieval, undisclosed transmission of session credentials is sensitive behavior and can be risky if users do not understand what data is being sent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal