Tencent Cloud COS
v1.1.3腾讯云对象存储(COS)和数据万象(CI)集成技能。覆盖文件存储管理、AI处理和知识库三大核心场景。 存储场景:上传文件到云端、下载云端文件、批量管理存储桶文件、获取文件签名链接分享、查看文件元信息。 图片处理场景:图片质量评估打分、AI超分辨率放大、AI智能裁剪、二维码/条形码识别、添加文字水印、获取图片EXI...
⭐ 0· 1.7k·1 current·1 all-time
byShawnmZhang@shawnminh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name, description, and code implement COS and CI capabilities and legitimately require Tencent Cloud credentials and Region/Bucket config. However, the registry-level metadata at the top listed no required env vars/primary credential while SKILL.md's openclaw metadata clearly requires SecretId/SecretKey (and optional Token) mapped to TENCENT_COS_* env vars — this mismatch should be clarified.
Instruction Scope
Runtime instructions and scripts are focused on COS/CI tasks: they prompt for credentials, optionally persist them to a local .env, install the cos-nodejs-sdk-v5 package, and call COS/CI APIs. The scripts read/write files only inside the project (package.json, .env, .env.enc, .gitignore) and use COS endpoints (including {Bucket}.ci.{Region}.myqcloud.com). There is no instruction to read unrelated system files or transmit data to unexpected external hosts.
Install Mechanism
Install uses npm install cos-nodejs-sdk-v5 in the project directory. That's proportionate for a Node.js SDK-based skill; npm package installs are moderate-risk but expected. No arbitrary downloads from unknown URLs or extract-from-URL steps are present.
Credentials
The skill legitimately needs cloud credentials (SecretId/SecretKey) and optional STS Token, plus Region/Bucket/DatasetName for MetaInsight. This is proportionate. Note the registry summary omitted required env vars while SKILL.md lists them — user-facing required-env metadata should match. The skill recommends ephemeral STS and enforces guidance to use least-privilege sub-account keys (good).
Persistence & Privilege
always:false (no forced inclusion). The scripts may persist credentials to a local .env when the user requests --persist; they also provide .env.enc AES-GCM encryption bound to machine+user+project path. Writing is limited to the project directory; the skill does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it uses the official Node SDK pattern to manage COS and CI. Before installing: 1) Confirm the registry metadata (required env vars) matches SKILL.md; the skill expects TENCENT_COS_SECRET_ID and TENCENT_COS_SECRET_KEY (and optional TENCENT_COS_TOKEN). 2) Prefer STS temporary credentials with least-privilege sub-account keys; do not supply root account keys. 3) Be cautious when using --persist: .env will contain plaintext unless you run the provided encrypt-env flow; keep .env out of version control and verify .gitignore is updated. 4) Verify the npm package cos-nodejs-sdk-v5 is the official Tencent package (check its npm / GitHub page) and consider installing in an isolated environment. 5) If you need stronger guarantees, inspect scripts/cos_node.mjs for any additional operations you want to allow; the script binds .env.enc decryption to machine+user+project path, so encrypted files cannot be decrypted elsewhere (this is deliberate but can be brittle if you move projects).Like a lobster shell, security has layers — review code before you run it.
latestvk97ckr7pygrpft1dvz0yhw3zn584cqh4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
ConfigRegion, Bucket
Install
Install COS Node.js SDK
npm i -g cos-nodejs-sdk-v5