← 返回 Skills 市场

qianfan clawhub

Name: qianfan clawhub
Author: baiduqianfangroup

作者 baidu_qianfan · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

252

总下载

当前安装

版本数

在 OpenClaw 中安装

/install qianfan-clawhub

功能描述

Search and install Baidu Qianfan ecosystem skills with fuzzy matching across slug, name, and description fields

安全使用建议

This tool largely does what it says — it searches Baidu's appbuilder and downloads skill zip files using your BAIDU_API_KEY. However, the included script will attempt an undocumented HTTP GET to http://localhost:4096/path and use its 'directory' field as the workspace when no workdir is provided; a malicious or compromised local service could point that to sensitive locations and cause files to be written there. Before installing or running: (1) read the script and consider removing or modifying the localhost call, (2) prefer running with an explicit --workdir you control (avoid relying on the default), (3) use a restricted BAIDU_API_KEY with minimal permissions, (4) run the tool in a sandboxed environment if possible, and (5) ask the author/maintainer to document and justify the localhost lookup or remove it.

功能分析

Type: OpenClaw Skill Name: qianfan-clawhub Version: 1.0.1 The skill functions as a package manager for the Baidu Qianfan ecosystem, which inherently involves high-risk operations like downloading and executing remote code. A potential Zip Slip vulnerability exists in `scripts/qianfanclawhub.py` because the `install_skill` function does not sufficiently sanitize file paths within downloaded ZIP archives before extraction. Additionally, the script attempts to discover the local environment's directory structure by querying an undocumented local endpoint at `http://localhost:4096/path`.

能力评估

ℹ Purpose & Capability

Name/description and required BAIDU_API_KEY align with interacting with Baidu's Qianfan/AppBuilder APIs (the code calls appbuilder.baidu.com endpoints for search/download). Required binary (python3) is reasonable. One mismatch: the SKILL.md and description state a default workspace of ~/.qianfan/workspace, but the code attempts to query http://localhost:4096/path to obtain a directory — this is not documented in the description and expands the skill's capabilities.

⚠ Instruction Scope

SKILL.md instructs only search/install and mentions --workdir, but the runtime code will attempt an unauthenticated HTTP GET to http://localhost:4096/path (timeout 5s) and use the returned JSON 'directory' as the skills workspace. That local-network behavior is not described in SKILL.md and can influence where downloaded zip contents are extracted (potentially outside the expected ~/.qianfan path).

✓ Install Mechanism

No install spec (instruction-only skill) and included Python script only; nothing in the manifest downloads arbitrary installers during installation. Risk from installation is low — runtime operations (network download of skill zip and extraction) are the main concern.

ℹ Credentials

Only BAIDU_API_KEY is required and used to authenticate requests to the declared Baidu endpoints, which is proportionate. However, because the script may consult a local HTTP endpoint to choose a directory, a local service could cause files to be written into attacker-controlled or sensitive paths — this elevates the impact of giving the skill write access via the API and filesystem.

⚠ Persistence & Privilege

Skill does not request always:true and does not change other skills' configs, but it writes downloaded zip contents into a filesystem path which can be chosen by a local HTTP response (see localhost:4096 call). That behavior can lead to extraction into arbitrary locations if a local service controls the returned 'directory', increasing the privilege impact of the skill when run on a host with such a service present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install qianfan-clawhub
安装完成后，直接呼叫该 Skill 的名称或使用 /qianfan-clawhub 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added support for multi-field fuzzy matching across skill slug, name, and description. - Introduced language-aware searching: prefers English keywords, falls back to Chinese if no results. - Now requires BAIDU_API_KEY for authenticated access. - Updated documentation to reflect new search strategies and requirements. - Removed requirements.txt file.

v1.0.0

- Initial release of qianfan-clawhub. - Search and install Baidu Qianfan ecosystem skills using prefix-matching. - Install skills to a custom directory with the --workdir option. - Supports secure, anonymous access to Baidu Cloud BOS storage. - Integrated download, extraction, verification, and installation of skills.

元数据

Slug qianfan-clawhub

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

qianfan clawhub 是什么？

Search and install Baidu Qianfan ecosystem skills with fuzzy matching across slug, name, and description fields. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 252 次。

如何安装 qianfan clawhub？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install qianfan-clawhub」即可一键安装，无需额外配置。

qianfan clawhub 是免费的吗？

是的，qianfan clawhub 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

qianfan clawhub 支持哪些平台？

qianfan clawhub 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 qianfan clawhub？

由 baidu_qianfan（@baiduqianfangroup）开发并维护，当前版本 v1.0.1。