baidupcs-go Security Report — Trusted | ClawSafe

5 /100

baidupcs-go

百度网盘命令行客户端工具技能 — wraps BaiduPCS-Go CLI for file upload, download, transfer, and sharing

This is a pure-documentation skill that wraps a legitimate open-source Baidu Netdisk CLI tool (BaiduPCS-Go). No executable scripts, no code, no malicious indicators.

Skill Namebaidupcs-go

Duration27.4s

Enginepi

✓

Safe to install

This skill is safe to use. No action required.

Findings 1 items

Severity	Finding	Location
Info	Hardcoded IP in user_agent documentation example Doc Mismatch The BaiduPCS-Go.md documentation includes a user_agent example containing the IP '2.2.51.6'. This is a Baidu netdisk client identifier used as a CDN/serial number in User-Agent strings sent to Baidu's official API servers. It is not a C2 IP address. `BaiduPCS-Go config set -user_agent "netdisk;2.2.51.6;netdisk;10.0.63;PC;android-android"` → No action needed. This is a standard Baidu netdisk User-Agent format, not external IP contact.	`BaiduPCS-Go.md:694`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access in skill — file operations delegated to installed BaiduPCS-…
Network	`NONE`	`NONE`	—	Skill issues no network requests; external traffic is Baidu API only (via instal…
Shell	`NONE`	`NONE`	—	No shell invocation in skill files
Environment	`NONE`	`NONE`	—	BAIDUPCS_GO_CONFIG_DIR is documented as optional, not accessed by skill code
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocations
Clipboard	`NONE`	`NONE`	—	Not accessed
Browser	`NONE`	`NONE`	—	Not accessed
Database	`NONE`	`NONE`	—	Not accessed

1 High 11 findings

📡

High IP Address 硬编码 IP 地址

2.2.51.6

BaiduPCS-Go.md:694

🔗

Medium External URL 外部 URL

https://baike.baidu.com/item/通配符

BaiduPCS-Go.md:87

🔗

Medium External URL 外部 URL

https://wws.lanzoui.com/b01berebe

BaiduPCS-Go.md:327

🔗

Medium External URL 外部 URL

https://termux.com

BaiduPCS-Go.md:357

🔗

Medium External URL 外部 URL

https://web.archive.org/web/20190820154934/https://github.com/iikira/BaiduPCS-Go/wiki/Android-%E8%BF%90%E8%A1%8C%E6%9C%A...

BaiduPCS-Go.md:359

🔗

Medium External URL 外部 URL

https://web.archive.org/web/20190820155025/https://github.com/iikira/BaiduPCS-Go/wiki/iOS-%E8%BF%90%E8%A1%8C%E6%9C%AC%E9...

BaiduPCS-Go.md:363

🔗

Medium External URL 外部 URL

https://blog.csdn.net/ykiwmy/article/details/103730962

BaiduPCS-Go.md:396

🔗

Medium External URL 外部 URL

https://jingyan.baidu.com/article/5553fa829a6a9e65a23934b0.html

BaiduPCS-Go.md:405

🔗

Medium External URL 外部 URL

https://pan.baidu.com/s/12L_ZZVNxz5f_2CccoyyVrW

BaiduPCS-Go.md:825

🔗

Medium External URL 外部 URL

https://pan.baidu.com/s/12L_ZZVNxz5f_2CccoyyVrW?pwd=edv4

BaiduPCS-Go.md:827

🔗

Medium External URL 外部 URL

http://baidu.com

BaiduPCS-Go.md:910

File Tree

4 files · 38.0 KB · 1315 lines

Markdown 2f · 1220L JSON 2f · 95L

├─ 📝 BaiduPCS-Go.md Markdown 1170L · 33.7 KB

├─ 📋 commands.json JSON 77L · 2.2 KB

├─ 📋 package.json JSON 18L · 344 B

└─ 📝 SKILL.md Markdown 50L · 1.6 KB

Security Positives

✓ No executable scripts present — skill is pure documentation

✓ No credential harvesting or environment variable iteration

✓ No base64-encoded payloads, reverse shells, or obfuscation

✓ No curl|bash or wget|sh remote script execution

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No allowed-tools declarations that could be abused

✓ Legitimate open-source tool (qjfoidnh/BaiduPCS-Go fork of iikira/BaiduPCS-Go v3.6.2)

Scan Report

Findings 1 items

File Tree

Security Positives