baidu-netdisk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). Yes — the skill's examples and flow instruct the agent to accept and embed share extraction codes/passwords (e.g., ?pwd=abcd or -p <提取码>) directly into bdpan command-line invocations, which requires the LLM to include secret values verbatim (even though it forbids reading config tokens).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (SKILL.md and reference/bdpan-commands.md) explicitly accept and fetch public Baidu share links (e.g., bdpan download/transfer "https://pan.baidu.com/s/…"), so the agent ingests untrusted, user-supplied third‑party content and uses that content (file metadata/size and transfer results) to drive actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's install and update scripts fetch and execute remote code at runtime — install.sh downloads and runs the installer from https://issuecdn.baidupcs.com/issue/netdisk/ai-bdpan/installer/${VERSION}/<installer_name>, and update.sh queries https://pan.baidu.com/act/v2/api/conf?conf_key=bd_skills to obtain a remote update URL and then downloads/unzips that package, so these URLs enable runtime execution of externally fetched code.