qiniu-kodo
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s Qiniu storage features are coherent, but its setup persists cloud secrets in shell/MCP configuration and can perform destructive bucket operations, so it needs review before installation.
Install only if you trust this skill and the Qiniu helper packages. Before running setup, use a least-privileged Qiniu key, consider not passing secrets on the command line, back up your shell profile and ~/.mcporter/mcporter.json, skip optional MCP/qshell installs unless needed, and require explicit confirmation before any delete, batch-delete, move, or overwrite action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Qiniu cloud credentials could remain broadly available on the local machine after installation, increasing the impact if another process, log, backup, or user can read the shell profile.
When setup is run with credentials, it appends the Qiniu access key and secret key to the user's shell startup file, making them persistent and available to future shell sessions and child processes.
cat >> "$SHELL_RC" <<EOF ... export QINIU_ACCESS_KEY="$ACCESS_KEY" ... export QINIU_SECRET_KEY="$SECRET_KEY" ... EOF
Use a least-privileged Qiniu key scoped to the needed bucket, avoid putting secrets in shell profiles unless necessary, review and remove QINIU_* exports after setup if not needed, and prefer the chmod-protected skill config file or a dedicated secret manager.
Running optional MCP setup could disrupt other configured MCP tools and persist a new agent tool configuration across future sessions.
The MCP setup writes a whole mcporter configuration file with redirection, which can replace existing MCP server configuration rather than merging or backing it up.
cat > "$HOME/.mcporter/mcporter.json" <<EOF
{
"servers": {
"qiniu-mcp": {
"command": "qiniu-mcp-server"Back up ~/.mcporter/mcporter.json before running setup, merge the qiniu-mcp entry manually, and require the installer to ask before changing shared agent/MCP configuration.
An incorrect or overbroad delete command could remove objects from your Qiniu bucket.
The skill documents force and batch deletion of cloud objects. This is aligned with storage management, but it is high-impact if run on the wrong key list.
# 强制删除(不需要确认) node scripts/qiniu_node.mjs delete --key backups/old-backup.tar.gz --force # 批量删除 node scripts/qiniu_node.mjs batch-delete --file delete-list.txt
Require explicit user confirmation for delete, batch-delete, move, and overwrite operations; avoid --force unless you have checked the exact object keys.
You rely on the current contents of external package registries and download URLs at install time.
The optional setup path installs global packages and downloads a CLI executable without a pinned version or checksum in the script.
npm install -g @openclaw/mcporter ... npm install -g @qiniu/qiniu-mcp-server ... wget -q "$QSHELL_URL" -O qshell.zip && unzip -q qshell.zip && chmod +x qshell
Prefer pinned versions, checksum verification for downloaded binaries, and local installs where possible; only install MCP/qshell if you need those fallbacks.
The configured MCP server will be able to act with your Qiniu credentials.
The optional MCP server is configured to receive Qiniu credentials through its environment. That is expected for the integration, but it is a sensitive boundary.
"servers": { "qiniu-mcp": { "command": "qiniu-mcp-server", "env": { "QINIU_ACCESS_KEY": "$ACCESS_KEY", "QINIU_SECRET_KEY": "$SECRET_KEY" } } }Install the MCP server only from a trusted source, use limited-scope credentials, and verify which MCP clients can invoke it.