ClawHub

Volcengine Storage Tos

v1.0.0

Object storage operations for Volcengine TOS. Use when users need upload/download/sync, bucket policy checks, signed URLs, or storage troubleshooting.

0· 981·1 current·1 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as a Volcengine TOS storage helper (upload/download/sync, signed URLs, policy checks). Performing those actions normally requires authenticated access to Volcengine (API keys, SDK credentials, or a platform connector). However, the skill declares no required environment variables, no primary credential, and no config paths. That unexplained gap between claimed capability and declared requirements is a coherence concern.
Instruction Scope
SKILL.md stays on-topic (confirm bucket/region/paths; validate auth; execute operation; return manifest) and includes sensible safety rules (avoid destructive deletes, preserve metadata, checksums). But 'validate auth and bucket policy' is vague—it does not specify how to obtain or store credentials, whether to prompt the user, or which env vars/credentials to check. That ambiguity could lead the agent to request secrets ad-hoc or to assume platform-level credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code to write to disk, which is the lowest-risk install model. No external downloads or packages are referenced.
!
Credentials
The skill declares no required environment variables or credentials but explicitly expects authentication and policy checks. A legitimate Volcengine storage skill would normally require at least one credential (API key/secret or platform connector). The lack of declared credential requirements is disproportionate and ambiguous. Also, provenance is missing (no homepage/source), increasing the risk that credential handling is underspecified.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not include install steps that modify agent/system config. Autonomous invocation is allowed (the platform default) but is not combined with other high-risk factors here.
What to consider before installing
Before installing or invoking this skill, ask the publisher: How does it authenticate to Volcengine TOS? Which exact environment variables, files, or platform connectors does it expect? Avoid pasting secrets into free-text prompts—prefer using platform-managed connectors or explicit env vars. Because the skill has no declared provenance (no homepage/source) and offers no credential handling details, treat it as untrusted until the author documents how auth is provided and how sensitive URLs/credentials are handled. Test any actions in a sandbox or with limited-permission credentials (read-only or a test bucket) and require explicit confirmation for any destructive operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mx4968fgsz4b2v3btnf1vx80yc1a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments