📦 cloud189-storage — 天翼云盘管理
v1.0.0一键登录天翼云盘获取Token,支持智能搜图、目录/文件列表查询、关键词搜索与极速下载,云端资源管理更高效。
2· 193·0 当前·0 累计
by 下载技能包
最后更新
2026/4/12
安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions and reference docs are consistent with a Cloud189 file-management helper, but it asks users to paste authorization codes/tokens into the conversation and contains a scanner-detected 'base64-block' pattern — both raise credential-exposure and prompt-injection concerns.
评估建议
This skill appears to implement Cloud189 file operations and the included docs are consistent with that purpose, but it requires you to complete an OAuth exchange and (per the docs) paste the authCode or accessToken into the chat and/or save it in your environment. Before using/installing: 1) Do not paste long-lived access tokens or auth codes into public or untrusted chat/history; prefer performing the token exchange locally (browser or your machine) and only provide short-lived/least-privilege...详细分析 ▾
✓ 用途与能力
Name/description (Cloud189 login, search, list, download) match the included reference documents and the single external API host (https://api.cloud.189.cn). There are no unrelated binaries, env vars, or install steps requested.
ℹ 指令范围
The SKILL.md plus reference files are explicit about workflows and limit actions to calling Cloud189's unified Skill API. However the docs instruct the agent to have the user copy/paste an OAuth authorization code and to exchange it (and then save the accessToken), which requires the user to disclose sensitive credentials in the conversation. The pre-scan flagged a 'base64-block' pattern in SKILL.md content — likely due to long encoded/example strings in responses but worth attention as a potential prompt-injection indicator.
✓ 安装机制
Instruction-only skill with no install spec and no code files: lowest installation risk. Nothing is written to disk or downloaded by the skill package itself.
ℹ 凭证需求
The skill does not request platform environment variables or other unrelated credentials. It legitimately needs the user's Cloud189 accessToken. However the guidance to save accessToken as an environment variable or paste authCode/accessToken into the chat increases the risk of credential leakage; the skill does not enforce secure storage best practices.
✓ 持久化与权限
No always:true, no installs, and no modifications of other skills or global agent configuration. The skill is user-invocable only.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/12
支持天翼云盘文件管理,包括下载、列表、智能搜图、文件搜索等操作
● 无害
安装命令
点击复制官方npx clawhub@latest install cloud189-storage
镜像加速npx clawhub@latest install cloud189-storage --registry https://cn.longxiaskill.com