☁️ TCED Cloud Drive | 腾讯云企业网盘
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Tencent Cloud Drive connector, but it requires OAuth access to enterprise files and runs a pinned external MCP package.
Install only if you are comfortable granting TCED OAuth access. Verify the MCP config uses the pinned or reviewed tced-mcp version and official Tencent endpoints, authorize only the intended space, protect ~/.tced-mcp/auth.json, and review upload/download/overwrite paths before acting.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the token file could potentially use the authorized cloud-drive access.
The skill persists OAuth2 access and refresh tokens locally so the MCP server can access authorized TCED spaces.
`~/.tced-mcp/auth.json` — 存储 OAuth2 Token 和配置(自动创建)
Authorize only the needed space, keep the token file private, and use the recommended 600 file permission.
Mistaken paths, spaces, or overwrite choices could change or expose enterprise files.
The documented tools can upload, download, and optionally overwrite cloud-drive files, which is expected for the skill but can affect important business data.
`upload_file` ... `conflictStrategy`: `ask`/`rename`(默认)/`overwrite`; `download_file` ... `localFilePath`
Confirm the active account, active space, remote path, local path, and overwrite behavior before file-transfer actions.
The external MCP package will handle OAuth and file operations, so trust in that package matters.
The skill relies on an npm-distributed MCP server package. The version is pinned and the artifact warns against @latest, which reduces but does not remove supply-chain risk.
"command": "npx", "args": ["-y", "tced-mcp@1.0.2"]
Use the pinned version or a reviewed version, avoid @latest, and verify the package provenance before granting OAuth access.
If endpoint variables are changed to an untrusted domain, tokens and file API traffic could be sent to the wrong place.
The configured provider endpoints determine where OAuth tokens and API requests are sent; the artifacts explicitly warn to use the official Tencent endpoints.
这两个环境变量决定了所有 API 请求(包含 OAuth2 Token)的发送目标。必须在 `mcp.json` 的 `env` 中显式配置为官方生产地址
Keep TCED_PAN_DOMAIN as https://pan.tencent.com and TCED_BASE_PATH as https://api.tencentsmh.cn unless you knowingly use a trusted private deployment.