Volcengine TOS Storage
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: day253-volcengine-storage-tos Version: 1.0.0 The skill bundle provides a standard management interface for Volcengine TOS (Tinder Object Storage) using the official 'tos' Python SDK. The core logic in 'scripts/tos_manage.py' implements expected storage operations (upload, download, list, delete) with appropriate safety measures, such as requiring a confirmation flag for destructive actions. No evidence of data exfiltration, unauthorized execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong bucket, key, file, or URL expiry, the agent could change cloud storage contents or create a temporary access link to an object.
The skill exposes cloud-storage mutation and access-sharing operations. These are disclosed and aligned with the storage-management purpose, and deletion is documented as requiring --confirm.
`create-bucket` | 创建桶 ... `delete-bucket` | 删除桶 ... `upload` | 上传本地文件到桶 ... `delete` | 删除对象 ... `presign` | 生成预签名 URL
Use explicit bucket/key/file parameters, review presigned URL expiry, and require deliberate user confirmation for mutating actions.
The skill will act with whatever permissions the supplied Volcengine access key has, which may include listing, writing, deleting, or sharing storage objects.
The skill uses cloud account credentials from environment variables or .env. That is expected for Volcengine TOS, but the registry metadata lists no required env vars or primary credential.
Set environment variables: `VOLCENGINE_ACCESS_KEY` ... `VOLCENGINE_SECRET_KEY` ... Optional: use `.env` in repo root; script will auto-load.
Use a least-privilege IAM key limited to the intended buckets/actions, protect the .env file, and avoid using broad administrator credentials.
A user may install whatever version of the SDK is current or available in their package source.
The skill depends on an external Python package installed from the package index without a pinned version. This is normal for SDK-based skills but leaves package/version choice to the user environment.
Install TOS SDK: `pip install tos`
Install from a trusted package index and consider pinning a reviewed SDK version.
Local output files may retain storage metadata or temporary access URLs after the task completes.
Operation outputs may persist locally and can include bucket names, object keys, metadata, or presigned URL results generated by the skill.
Save operation results, manifests, and logs to `output/volcengine-storage-tos/`.
Review saved outputs before sharing them and clean up logs that contain sensitive object names or presigned URLs.