baidu-cloud-bos 安全扫描报告 — 可信 | ClawSafe

5 /100

baidu-cloud-bos

百度智能云对象存储(BOS)集成技能 - Baidu Cloud Object Storage integration

Legitimate Baidu Cloud Object Storage integration skill with clear documentation, proper credential handling, and no malicious behavior detected.

技能名称baidu-cloud-bos

分析耗时44.6s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning the SDK version in package.json for improved supply chain hygiene.

安全发现 2 项

严重性	安全发现	位置
低危	SDK version not pinned 供应链 The @baiducloud/sdk dependency in package.json uses caret range ^1.0.7 instead of exact version pinning. While this is Baidu's official SDK, exact versions provide better reproducibility. `"@baiducloud/sdk": "^1.0.7"` → Change to "@baiducloud/sdk": "1.0.7" for exact version control	`package.json:7`
提示	Credential access is intentional and documented 凭证窃取 The skill requires Baidu Cloud credentials (AccessKeyId, SecretAccessKey) which are legitimately stored in ~/.config/openclaw/baidu-cloud-bos/credentials.json with 600 permissions. SKILL.md clearly documents this behavior. `将凭证持久化到 ~/.config/openclaw/baidu-cloud-bos/credentials.json` → No action needed - this is expected behavior for cloud storage integration	`SKILL.md:43`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: credentials stored to ~/.config/openclaw/
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: BOS API operations (upload/download/list)
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: setup.sh, bcecmd commands, npm install
环境变量	`READ`	`READ`	✓ 一致	bos_node.mjs:42 - reads BCE_* env vars for credentials
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation found

6 项发现

🔗

中危外部 URL 外部 URL

https://console.bce.baidu.com/iam/#/iam/accesslist

SKILL.md:35

🔗

中危外部 URL 外部 URL

https://console.bce.baidu.com/bos/

SKILL.md:36

🔗

中危外部 URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Djwvyrhiw

SKILL.md:86

🔗

中危外部 URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/kmcn3zrup

SKILL.md:172

🔗

中危外部 URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Ck1rymwdi）

scripts/setup.sh:60

🔗

中危外部 URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Ck1rymwdi

scripts/setup.sh:173

目录结构

5 文件 · 36.2 KB · 1166 行

Markdown 2f · 487L JavaScript 1f · 403L Shell 1f · 266L JSON 1f · 10L

├─ ▾ 📁 references

│ └─ 📝 api_reference.md Markdown 209L · 9.0 KB

├─ ▾ 📁 scripts

│ ├─ 📜 bos_node.mjs JavaScript 403L · 10.1 KB

│ └─ 🔧 setup.sh Shell 266L · 7.0 KB

├─ 📋 package.json JSON 10L · 226 B

└─ 📝 SKILL.md Markdown 278L · 9.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`@baiducloud/sdk`	`^1.0.7`	npm	否	Official Baidu Cloud SDK, version range not pinned

安全亮点

✓ Clear and comprehensive SKILL.md documentation covering all operations

✓ Credentials validated with regex patterns before use (setup.sh lines 97-109)

✓ Credentials stored with 600 file permissions (chmod 600)

✓ Credentials read from env vars first, then config file fallback - follows security best practices

✓ No base64 encoding, obfuscation, or suspicious code patterns

✓ All network connections go to documented Baidu Cloud endpoints (bcebos.com)

✓ No exfiltration of credentials to third parties

✓ Input validation present for all user-provided parameters

✓ Dependency is Baidu's official SDK (@baiducloud/sdk)

✓ Error handling implemented throughout bos_node.mjs

✓ JSON structured output for all operations