扫描报告
8 /100
bdpan-storage
百度网盘文件管理 - Baidu Netdisk file management for upload, download, transfer, share, search, and other operations
Well-secured Baidu Netdisk management skill with comprehensive safety constraints, SHA256 verification, and multi-step confirmation flows.
可以安装
This skill is safe to use. The declared capabilities match actual implementation. Continue following the documented security constraints.
安全发现 4 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Multi-step confirmation for downloads | scripts/install.sh:186 |
| 低危 | SHA256 verification before execution | scripts/install.sh:147 |
| 提示 | Credential handling via stdin | scripts/login.sh:137 |
| 提示 | Agent environment detection in update script | scripts/update.sh:206 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | Bash tool for install/update/uninstall scripts |
| 网络访问 | READ | READ | ✓ 一致 | curl/wget used only for Baidu CDN downloads |
| 命令执行 | WRITE | WRITE | ✓ 一致 | Subprocess in install.sh, update.sh, login.sh, uninstall.sh |
| 环境变量 | NONE | NONE | — | SKILL.md explicitly prohibits setting BDPAN_CONFIG_PATH, BDPAN_BIN, etc. |
| 技能调用 | READ | READ | ✓ 一致 | Allowed-tools includes Glob, Grep for internal operations |
10 项发现
中危 外部 URL 外部 URL
https://pan.baidu.com/s/1xxxxx?pwd=abcd SKILL.md:99 中危 外部 URL 外部 URL
https://pan.baidu.com/s/1xxxxx SKILL.md:100 中危 外部 URL 外部 URL
https://pan.baidu.com/s/1 reference/bdpan-commands.md:128 中危 外部 URL 外部 URL
https://pan.baidu.com/s/1xxxxxxx reference/bdpan-commands.md:230 中危 外部 URL 外部 URL
https://openapi.baidu.com/oauth/2.0/authorize?... reference/examples.md:167 中危 外部 URL 外部 URL
https://openapi.baidu.com/oauth/...?device_code=xxxxx reference/troubleshooting.md:34 中危 外部 URL 外部 URL
https://openapi.baidu.com/oauth/2.0/authorize?response_type=device_code&client_id=...&device_code=xxxxx reference/troubleshooting.md:48 中危 外部 URL 外部 URL
https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/$ scripts/install.sh:9 中危 外部 URL 外部 URL
https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills scripts/update.sh:15 提示 邮箱 邮箱地址
[email protected] reference/examples.md:176 目录结构
10 文件 · 72.5 KB · 2716 行 Markdown 6f · 1709L
Shell 4f · 1007L
├─
▾
reference
│ ├─
authentication.md
Markdown
│ ├─
bdpan-commands.md
Markdown
│ ├─
examples.md
Markdown
│ ├─
notes.md
Markdown
│ └─
troubleshooting.md
Markdown
├─
▾
scripts
│ ├─
install.sh
Shell
│ ├─
login.sh
Shell
│ ├─
uninstall.sh
Shell
│ └─
update.sh
Shell
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
bdpan CLI | 3.7.3 | Baidu CDN | 否 | Pinned version with SHA256 verification |
unzip | any | system | 否 | Standard tool, no external dependencies |
安全亮点
✓ Comprehensive security constraints documented in SKILL.md with path restrictions (only /apps/bdpan/)
✓ Agent explicitly prohibited from setting environment variables (BDPAN_CONFIG_PATH, BDPAN_BIN, etc.)
✓ Login must use login.sh script - direct bdpan login prohibited
✓ Config.json content (access_token) explicitly protected from reading/output
✓ All external downloads use SHA256 verification before execution
✓ Two-step confirmation for all installation and update operations
✓ Auth codes passed via stdin to prevent ps/cmdline exposure
✓ Update script requires explicit user trigger, prohibits automatic updates
✓ Strong trigger rules requiring both Baidu Netdisk mention AND clear operation intent
✓ High-risk operations (rm, upload/download conflict) require mandatory user confirmation
✓ Security disclaimers displayed with safety warnings for public environment use
✓ Version pinning in install.sh (v3.7.3) with hardcoded checksums for each platform