qwencloud-usage

[QwenCloud] Manage account auth and query usage/billing. Use for: login, logout, check usage, view billing, free tier quota, coding plan status, pay-as-you-g...

This skill is mostly coherent with its purpose (login + usage reporting) but it does perform sensitive local operations you should be comfortable with before installing. What to consider before installing: - Review the source files (credential_store.py, device_flow.py, gossamer.py). They are included in the package and implement the behavior described. - Credentials: the skill stores access/refresh tokens locally under ~/.qwencloud using an encryption key derived from hardware identifiers (machine-id, MAC, DMI fields) or a host_id file. This is intended to protect tokens, but it means the script reads low-level system identifiers. - System commands: the code runs system utilities (dmidecode, ifconfig/ipconfig, networksetup) and subprocesses. These calls are used for key derivation and update-checks but are execution points that could fail or behave unexpectedly on locked-down systems. - Update-check: on each run the tool will try to detect a repo root and may execute a local check_update.py script (via subprocess) if found. That means it can execute code that exists in your repository; avoid running this in untrusted repositories. - Permissions: don’t run the tool as root unless you have to; as root it could write to system locations like /etc/qwencloud-host-id. Recommended actions: - If you trust the publisher and need the convenience, run it in a restricted environment (non-root user, isolated VM or container) and inspect or pin the packaged code. - If you only need read-only usage queries, consider running the scripts interactively and inspect what files they create (look under ~/.qwencloud) before giving authorizations. - If you maintain a private repo, be aware the update-check feature can execute repo-local scripts; remove or audit check_update.py in your repo if you enable this skill there. If you want a lower-risk option, ask the skill author for a version that uses an explicit, user-provided passphrase for file encryption (instead of hardware-derived keys) and disables the automatic repo-local update script invocation.

Type: OpenClaw Skill Name: qwencloud-usage Version: 0.2.0 The qwencloud-usage skill bundle is a legitimate tool for managing QwenCloud account authentication and querying billing data. It implements a standard OAuth 2.0 Device Flow for authentication and features a sophisticated credential storage system (credential_store.py) that supports system keyrings or AES-256-GCM encrypted local files. The encryption key is derived from hardware identifiers (MAC address, CPU ID, motherboard UUID) to bind secrets to the local machine, but this data is hashed locally and not exfiltrated. The bundle also includes a structured update-check mechanism (gossamer.py) and specific agent instructions (SKILL.md) to handle headless login and dependency management. No malicious behavior, unauthorized data exfiltration, or persistence mechanisms were found.