☁️ Tencent Cloud COS — 腾讯云 COS
v1.1.6腾讯云对象存储 COS 工具。
2· 1.7k·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions match a legitimate Tencent COS integration, but registry metadata omits the credentials the skill actually requires and there are a few choices (optional on-disk persistence, machine‑tied encryption) you should review before installing.
评估建议
This package appears to be a legitimate Tencent COS integration, but note two important things before installing: (1) The registry metadata shown to you omitted the required Tencent credentials — the SKILL.md and scripts do require SecretId/SecretKey (and optional Token) plus Region and Bucket. Do not rely on the registry summary alone. (2) The setup can persist credentials to a .env file (or an encrypted .env.enc tied to your machine); prefer ephemeral STS tokens and avoid using --persist unles...详细分析 ▾
ℹ 用途与能力
The skill claims to manage Tencent Cloud COS/CI/MetaInsight and the bundled Node.js script plus the cos-nodejs-sdk-v5 dependency are appropriate and proportionate for that purpose. However, the registry metadata (shown at top) lists no required environment variables/primary credential, while the embedded SKILL.md/openclaw metadata and scripts clearly require Tencent credentials (SecretId/SecretKey, optional Token) and config (Region, Bucket). This mismatch is an incoherence that should be resolved.
✓ 指令范围
Runtime instructions (setup.sh and cos_node.mjs) stay within COS/CI/MetaInsight scope: installing SDK, reading/writing .env(.enc), and calling COS/CI endpoints. The scripts read environment variables (TENCENT_COS_*) and may persist them to .env or .env.enc; they do not contain obvious instructions to read unrelated system files or exfiltrate data to unexpected remote endpoints. The machine‑bound encryption and fallback behaviors are implemented in the script and are within expected scope for a credential-handling tool.
✓ 安装机制
Install uses a single npm package (cos-nodejs-sdk-v5) via the node install mechanism—an expected, moderate-risk choice for a Node.js integration. No downloads from untrusted URLs or archive extraction were observed.
⚠ 凭证需求
The secret types requested by the SKILL.md (SecretId, SecretKey, optional Token) and required config (Region, Bucket) are necessary and proportionate for COS/CI operations. The concern is the inconsistency with the registry metadata which lists no required env vars/primary credential; that could mislead users or automated permission reviewers. The skill supports optional persistent storage of credentials to disk (.env/.env.enc) — this increases exposure compared to purely ephemeral session variables, so users should prefer STS tokens and avoid --persist unless necessary.
ℹ 持久化与权限
The skill does not request unusual platform privileges and always:false. It will, if the user opts in, persist credentials to .env or write an encrypted .env.enc in the project directory. The encryption key is derived from local machine attributes (hostname, username, project path), which prevents simple copying but means the encrypted file is machine/user-specific. Persisting credentials to disk increases risk; the skill itself enforces least-privilege recommendations but cannot enforce them for the user-provided keys.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.62026/2/5
tencentcloud-cos-skill 1.1.6 - No file changes detected in this version. - Behavior, features, and documentation remain unchanged from the previous release.
● 无害
安装命令
点击复制官方npx clawhub@latest install tencentcloud-cos-skill
镜像加速npx clawhub@latest install tencentcloud-cos-skill --registry https://cn.longxiaskill.com