Huawei Cloud OBS SDK
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its Huawei OBS cloud-storage purpose, but its folder-download example can write files outside the chosen folder if OBS object names are crafted maliciously.
Install or use this only if you need Huawei OBS automation. Use least-privilege OBS credentials, review any delete/public-access/lifecycle action before running it, pin dependencies for sensitive use, and fix the folder-download path validation before downloading untrusted bucket contents.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a bucket contains a crafted object name, running this folder-download example could overwrite or create files outside the intended local folder.
The code constructs a local download path from a remote object key without checking for '..', absolute paths, or whether the final path remains inside local_folder_path.
relative_path = object_key[len(obs_prefix):] if object_key.startswith(obs_prefix) else object_key
relative_path = relative_path.lstrip('/')
local_file_path = os.path.join(local_folder_path, relative_path)Normalize and validate object keys before writing files, reject absolute paths and '..' segments, and confirm that the resolved path stays under the chosen download directory.
Using the examples with real credentials can delete cloud data or change who can access stored objects.
The skill openly includes destructive and access-changing OBS operations as part of its stated purpose.
- 创建/删除存储桶 - 存储桶权限配置 ... - 删除/复制/移动对象
Use least-privilege credentials and require explicit user confirmation before deletes, public ACL changes, lifecycle rules, or bulk operations.
A user’s Huawei Cloud storage account can be read or modified according to the permissions on the supplied AK/SK keys.
The helper script loads Huawei OBS access keys from the environment or .env file, giving the script whatever OBS permissions those keys have.
load_dotenv()
...
ak = ak or os.getenv('OBS_AK')
sk = sk or os.getenv('OBS_SK')Use dedicated, least-privilege OBS credentials, avoid broad account keys, and store secrets outside shared project files.
Installing later dependency versions could change behavior or inherit future supply-chain issues.
The dependency versions are lower-bound ranges, so future package versions may be installed without a lockfile.
huaweicloud-sdk-python-obs >= 3.22.12 python-dotenv >= 1.0.0
Pin dependency versions or use a reviewed lockfile when using this skill in sensitive environments.