Scan Report
0 /100
quark-auto-save
Manage quark-auto-save (QAS) tasks via API — add, search, run, and delete Quark cloud drive auto-save tasks
This is a legitimate Quark cloud drive auto-save API client with no malicious behavior detected. It simply wraps HTTP GET/POST calls to a user-provided QAS server.
Safe to install
No action needed. This skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | scripts/qas_client.py:186 reads task.json via open() |
| Network | NONE | READ | ✓ Aligned | scripts/qas_client.py:53-89 uses urllib to call user-provided QAS_BASE_URL |
| Shell | NONE | NONE | — | No subprocess or shell execution in the codebase |
5 findings
Medium External URL 外部 URL
https://pan.quark.cn/s/*** SKILL.md:22 Medium External URL 外部 URL
http://192.168.1.x:5005 SKILL.md:31 Medium External URL 外部 URL
https://pan.quark.cn/s/xxx#/list/share/fid SKILL.md:109 Medium External URL 外部 URL
https://pan.quark.cn/s/ SKILL.md:146 Medium External URL 外部 URL
https://pan.quark.cn/s/xxx SKILL.md:199 File Tree
2 files · 19.7 KB · 613 lines Markdown 1f · 326L
Python 1f · 287L
├─
▾
scripts
│ └─
qas_client.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
stdlib | built-in | Python 3 standard library | No | Uses only os, sys, json, urllib, argparse — no external dependencies |
Security Positives
✓ No subprocess or shell command execution — uses Python urllib only
✓ No credential exfiltration — QAS_TOKEN stays on-device and is sent only to user-provided QAS_BASE_URL
✓ No sensitive file access — only reads task.json from user-provided path
✓ No obfuscation — all code is plain Python, no base64, eval, or dynamic execution
✓ No suspicious dependencies — only uses Python standard library (os, sys, json, urllib)
✓ Documentation is clear and accurate about all behaviors
✓ Token is transmitted via query parameters as documented, not hidden in request bodies