by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says: it wraps qshell commands for Qiniu Kodo. Before installing: (1) be aware the SKILL.md expects your QINIU_ACCESS_KEY and QINIU_SECRET_KEY but the registry metadata does not declare them — confirm how you will provide secrets and prefer platform secret storage rather than command-line args; passing keys on the command line can be visible to other users/processes. (2) Verify the qshell download URL and ideally validate its checksum/signature after download; th...详细分析 ▾
ℹ 用途与能力
Name/description align with the included scripts and SKILL.md: all scripts call qshell to create buckets, upload, download, delete, and the README explains qshell workflows. No unrelated services, binaries, or permissions are requested. Minor inconsistency: registry metadata lists no required env vars/primary credential, but SKILL.md expects QINIU_ACCESS_KEY/QINIU_SECRET_KEY (and prefers storing them in ~/.openclaw/openclaw.json).
✓ 指令范围
SKILL.md instructs only qshell-related actions: downloading qshell, configuring account, creating buckets, uploading/downloading/deleting objects. Scripts operate on local files/dirs under provided paths and do not attempt to read unrelated system files. The README's insistence on preserving specific download query parameters and use of a Referer header is unusual but appears to be a pragmatic workaround for that host; it does not imply other data collection.
✓ 安装机制
This is an instruction-only skill (no install spec). It recommends downloading qshell from kodo-toolbox-new.qiniu.com — an official-seeming Qiniu domain — and running it locally. No arbitrary third-party installers, URL shorteners, or extract-and-run from unknown servers are used in the package itself. As always, users should verify checksums/signatures of downloaded binaries before execution.
⚠ 凭证需求
The SKILL.md expects QINIU_ACCESS_KEY and QINIU_SECRET_KEY (and suggests storing them in ~/.openclaw/openclaw.json), but the skill metadata does not declare these required env vars nor a primary credential. Requesting AK/SK is appropriate for object-storage operations, but the metadata omission reduces transparency. Also, the docs permit passing keys on the command line for short tests — that can leak secrets via process lists; the README notes not to echo keys but doesn't strongly warn about process-list exposure.
✓ 持久化与权限
The skill does not request always:true and does not modify other skills or system-wide settings. It suggests storing credentials under the agent's own config (~/.openclaw/openclaw.json), which is a scoped and expected place for skill configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/29
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install qiniu-kodo-qshell
镜像加速npx clawhub@latest install qiniu-kodo-qshell --registry https://cn.longxiaskill.com