ClawHub

Volcengine Security Kms

v1.0.0

Key lifecycle management with Volcengine KMS. Use when users need key creation, rotation policies, encryption/decryption workflows, or key permission troubleshooting.

0· 918·1 current·1 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description state it manages Volcengine KMS (create/rotate/encrypt/decrypt/etc.), but the package declares no required environment variables, no credentials, and no config paths. Real KMS operations require cloud credentials (API key/secret, role, or SDK config) and often a region/endpoint; their absence is a mismatch between stated purpose and declared requirements.
Instruction Scope
SKILL.md contains high-level steps (confirm key purpose, create/select key, run encrypt/decrypt/sign, return metadata) and sensible safety rules, but it is purely advisory and lacks concrete runtime instructions: no API endpoints, no authentication flow, no SDK/CLI commands. That vagueness could lead an agent to attempt to use whatever credentials are available in the environment without explicit guidance.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That keeps the on-disk footprint minimal and is consistent with a documentation-style skill.
!
Credentials
No environment variables or primary credential are declared even though interacting with Volcengine KMS would normally require credentials (access key, secret, possibly region/endpoint). This omission is disproportionate and ambiguous: either the skill is only documentation (then it should say so), or it expects the agent to use existing credentials — which should be explicitly declared and scoped.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not demand elevated persistence. Autonomous invocation is allowed (platform default) but is not combined here with broad declared credentials.
What to consider before installing
This skill claims to manage Volcengine KMS but is missing essential operational details (authentication and concrete API/CLI steps). Before installing or using it: - Treat it as advisory documentation rather than an actionable integration until the author documents auth and invocation details. - Ask the publisher to declare required credentials (e.g., VOLCENGINE_ACCESS_KEY_ID, VOLCENGINE_SECRET_ACCESS_KEY, REGION/ENDPOINT) and the minimum IAM permissions needed for each operation. - Do not expose high-privilege or long-lived keys to the agent; prefer least-privilege scoped credentials or ephemeral roles. - If you intend to let the agent perform real KMS operations, test in a non-production account with narrowly scoped permissions and audit logs enabled. - If the skill will run autonomously with access to credentials, require explicit confirmation and review of the credential scope first. If the author clarifies that the skill is purely a checklist/documentation (no runtime API calls), it would be lower risk; if it is intended to perform real KMS operations, the current lack of declared credentials/config is a red flag and should be corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk973a5czkyyjdfqkwkm11ae99n80zzn6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments