Volcengine TOS Storage
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated Volcengine object-storage purpose, but it needs cloud access keys and offers mutating/storage-sharing commands that users should run with least-privilege credentials and explicit intent.
Before installing, confirm you trust the SDK source, use a least-privilege Volcengine IAM key, keep .env private, and only run upload, copy, delete, bucket creation/deletion, or presigned URL commands with explicit bucket/key/file/expiry choices.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong bucket, key, file, or URL expiry, the agent could change cloud storage contents or create a temporary access link to an object.
The skill exposes cloud-storage mutation and access-sharing operations. These are disclosed and aligned with the storage-management purpose, and deletion is documented as requiring --confirm.
`create-bucket` | 创建桶 ... `delete-bucket` | 删除桶 ... `upload` | 上传本地文件到桶 ... `delete` | 删除对象 ... `presign` | 生成预签名 URL
Use explicit bucket/key/file parameters, review presigned URL expiry, and require deliberate user confirmation for mutating actions.
The skill will act with whatever permissions the supplied Volcengine access key has, which may include listing, writing, deleting, or sharing storage objects.
The skill uses cloud account credentials from environment variables or .env. That is expected for Volcengine TOS, but the registry metadata lists no required env vars or primary credential.
Set environment variables: `VOLCENGINE_ACCESS_KEY` ... `VOLCENGINE_SECRET_KEY` ... Optional: use `.env` in repo root; script will auto-load.
Use a least-privilege IAM key limited to the intended buckets/actions, protect the .env file, and avoid using broad administrator credentials.
A user may install whatever version of the SDK is current or available in their package source.
The skill depends on an external Python package installed from the package index without a pinned version. This is normal for SDK-based skills but leaves package/version choice to the user environment.
Install TOS SDK: `pip install tos`
Install from a trusted package index and consider pinning a reviewed SDK version.
Local output files may retain storage metadata or temporary access URLs after the task completes.
Operation outputs may persist locally and can include bucket names, object keys, metadata, or presigned URL results generated by the skill.
Save operation results, manifests, and logs to `output/volcengine-storage-tos/`.
Review saved outputs before sharing them and clean up logs that contain sensitive object names or presigned URLs.