Cloud Storage
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cloud-storage Version: 1.0.1 The OpenClaw AgentSkills skill bundle for 'cloud-storage' is classified as benign. The `SKILL.md` and supporting documentation (`auth.md`, `costs.md`, `providers.md`) provide comprehensive instructions and best practices for managing cloud storage, including critical security advice regarding authentication, cost awareness, and operational safety. While `auth.md` details how to handle sensitive credentials (e.g., AWS access keys, Google service account keys) via environment variables or CLI commands, it does so in an educational context, explicitly warning about security traps like using root account keys or handling service account keys. There is no evidence of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The content is entirely aligned with the stated purpose of managing cloud files securely and efficiently.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken transfer, sync, or delete operation could affect important cloud files or incur costs.
Cloud storage sync and management operations can modify, overwrite, or remove files across accounts. This is purpose-aligned and the skill includes safety checks, but the impact can be significant if used without user review.
User needs to upload, download, sync, or manage files across cloud storage providers.
Confirm source, destination, scope, costs, and backup/restoration checks before approving bulk syncs, migrations, or deletions.
Over-scoped or mishandled credentials could allow unintended access to cloud files or account resources.
The skill describes use of cloud credentials, service account keys, CLI logins, and OAuth tokens. These are expected for the stated purpose, and the document gives some least-privilege guidance, but these credentials can grant broad cloud storage access.
export AWS_ACCESS_KEY_ID=AKIA...; export AWS_SECRET_ACCESS_KEY=...; export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json; export AZURE_CLIENT_SECRET=...
Use least-privilege service accounts or scoped OAuth permissions, avoid root/admin keys, rotate secrets, and avoid exposing credentials in chat or logs.
It may be harder to independently verify the author or maintenance history of the guidance.
The artifacts do not provide a public source or homepage for provenance. Because there is no executable code or install step, this is only a provenance note, not a concrete unsafe behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included instructions and cross-check provider-specific guidance against official cloud provider documentation before acting on sensitive operations.