Scan Report
8 /100
bdpan-storage
百度网盘文件管理 - Baidu Netdisk file management for upload, download, transfer, share, search, and other operations
Well-secured Baidu Netdisk management skill with comprehensive safety constraints, SHA256 verification, and multi-step confirmation flows.
Safe to install
This skill is safe to use. The declared capabilities match actual implementation. Continue following the documented security constraints.
Findings 4 items
| Severity | Finding | Location |
|---|---|---|
| Low | Multi-step confirmation for downloads | scripts/install.sh:186 |
| Low | SHA256 verification before execution | scripts/install.sh:147 |
| Info | Credential handling via stdin | scripts/login.sh:137 |
| Info | Agent environment detection in update script | scripts/update.sh:206 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | Bash tool for install/update/uninstall scripts |
| Network | READ | READ | ✓ Aligned | curl/wget used only for Baidu CDN downloads |
| Shell | WRITE | WRITE | ✓ Aligned | Subprocess in install.sh, update.sh, login.sh, uninstall.sh |
| Environment | NONE | NONE | — | SKILL.md explicitly prohibits setting BDPAN_CONFIG_PATH, BDPAN_BIN, etc. |
| Skill Invoke | READ | READ | ✓ Aligned | Allowed-tools includes Glob, Grep for internal operations |
10 findings
Medium External URL 外部 URL
https://pan.baidu.com/s/1xxxxx?pwd=abcd SKILL.md:99 Medium External URL 外部 URL
https://pan.baidu.com/s/1xxxxx SKILL.md:100 Medium External URL 外部 URL
https://pan.baidu.com/s/1 reference/bdpan-commands.md:128 Medium External URL 外部 URL
https://pan.baidu.com/s/1xxxxxxx reference/bdpan-commands.md:230 Medium External URL 外部 URL
https://openapi.baidu.com/oauth/2.0/authorize?... reference/examples.md:167 Medium External URL 外部 URL
https://openapi.baidu.com/oauth/...?device_code=xxxxx reference/troubleshooting.md:34 Medium External URL 外部 URL
https://openapi.baidu.com/oauth/2.0/authorize?response_type=device_code&client_id=...&device_code=xxxxx reference/troubleshooting.md:48 Medium External URL 外部 URL
https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/$ scripts/install.sh:9 Medium External URL 外部 URL
https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills scripts/update.sh:15 Info Email 邮箱地址
[email protected] reference/examples.md:176 File Tree
10 files · 72.5 KB · 2716 lines Markdown 6f · 1709L
Shell 4f · 1007L
├─
▾
reference
│ ├─
authentication.md
Markdown
│ ├─
bdpan-commands.md
Markdown
│ ├─
examples.md
Markdown
│ ├─
notes.md
Markdown
│ └─
troubleshooting.md
Markdown
├─
▾
scripts
│ ├─
install.sh
Shell
│ ├─
login.sh
Shell
│ ├─
uninstall.sh
Shell
│ └─
update.sh
Shell
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
bdpan CLI | 3.7.3 | Baidu CDN | No | Pinned version with SHA256 verification |
unzip | any | system | No | Standard tool, no external dependencies |
Security Positives
✓ Comprehensive security constraints documented in SKILL.md with path restrictions (only /apps/bdpan/)
✓ Agent explicitly prohibited from setting environment variables (BDPAN_CONFIG_PATH, BDPAN_BIN, etc.)
✓ Login must use login.sh script - direct bdpan login prohibited
✓ Config.json content (access_token) explicitly protected from reading/output
✓ All external downloads use SHA256 verification before execution
✓ Two-step confirmation for all installation and update operations
✓ Auth codes passed via stdin to prevent ps/cmdline exposure
✓ Update script requires explicit user trigger, prohibits automatic updates
✓ Strong trigger rules requiring both Baidu Netdisk mention AND clear operation intent
✓ High-risk operations (rm, upload/download conflict) require mandatory user confirmation
✓ Security disclaimers displayed with safety warnings for public environment use
✓ Version pinning in install.sh (v3.7.3) with hardcoded checksums for each platform