Skillv1.0.1

ClawScan security

文件上传 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 10:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and documentation broadly match an internal unsigned S3-style upload tool, but there are multiple inconsistencies (domains, bucket names, returned URL) and minor mismatches between declared requirements and actual environment variables that warrant review before installation.
Guidance: This skill appears to implement what it claims (unsigned internal S3 uploads), but there are inconsistencies you should resolve before trusting it: 1) Verify the correct bucket name and CDN domain (SKILL.md and upload.py disagree on 'kkim-mario-claw' vs 'kim-mario-claw' and on corp.tencent.com vs corp.kuaishou.com). 2) Confirm the actual internal endpoint (bs3-hb1.internal) and whether returned URLs use the same host/format as the upload target. 3) Note the skill does not require AWS credentials (uses unsigned client), and it accepts BS3_ENDPOINT/BS3_BUCKET/BS3_REGION via env vars—ensure those cannot be set to exfiltrate uploads to an unintended host. 4) Review and, if needed, update the hardcoded URL construction in upload.py to consistently use the configured BS3_ENDPOINT and BS3_BUCKET rather than a different hardcoded domain. 5) Test in an isolated internal environment before using with sensitive files. If you want higher confidence, ask the publisher to correct the documentation mismatches and explicitly declare the optional environment variables in the registry metadata.

Review Dimensions

Purpose & Capability: notePurpose (upload files to internal BS3 storage, unsigned) matches the code: it creates an unsigned S3 client and uploads files. However the SKILL.md and upload.py disagree on several concrete details: SKILL.md mentions bucket 'kkim-mario-claw' in one place and 'kim-mario-claw' in others; SKILL.md uses 'bs3-hb1.corp.tencent.com' for CDN URLs while upload.py constructs URLs with 'bs3-hb1.corp.kuaishou.com'. These mismatches look like sloppy copy/paste or typos and should be clarified.
Instruction Scope: okRuntime instructions are focused on uploading files: installing boto3/botocore, using an internal endpoint, and calling upload_file/upload_bytes. The code only reads the file to upload and optional BS3_* env vars; it does not access unrelated system files or external endpoints beyond the internal upload endpoint and a constructed CDN URL.
Install Mechanism: okThis is instruction-only with a recommendation to pip-install boto3 and botocore. No external archives or arbitrary downloads are used. That is proportionate for Python upload code.
Credentials: noteThe skill declares no required env vars, but upload.py reads optional BS3_ENDPOINT, BS3_BUCKET, and BS3_REGION environment variables (with sensible defaults). This is reasonable, but the registry metadata did not list those env vars explicitly—verify you are comfortable with overriding endpoint/bucket via environment. No AWS credentials are required (unsigned client).
Persistence & Privilege: okThe skill is not force-enabled (always: false) and does not request elevated persistence or modify other skills. It can be invoked by the agent (normal).