Tencent Cloud COS
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Tencent COS integration, but its setup stores powerful cloud keys persistently and contains unsafe shell command construction that could run unintended commands.
Review the setup script before installing. If you use it, create a least-privileged Tencent CAM key for only the required bucket/actions, avoid exposing SSE mode, confirm destructive operations manually, and consider fixing the eval/quoting issues before providing real credentials.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or attacker-provided credential, bucket, domain, or service-domain value could cause unintended commands to run on the user's machine during setup.
Values supplied to setup are concatenated into a shell command and executed with eval, so crafted values could be interpreted as shell syntax during setup.
--secret-id) SECRET_ID="$2"; ... local COSCMD_ARGS="-a $SECRET_ID -s $SECRET_KEY -b $BUCKET -r $REGION" ... eval coscmd config $COSCMD_ARGS
Remove eval, pass arguments as quoted arrays, validate allowed characters for region/bucket/domain fields, and avoid interpolating secrets into shell or node -e code.
These keys may allow upload, download, signing, and deletion of COS objects depending on their Tencent CAM permissions, and they remain available to future shells and local tools.
The setup persists Tencent Cloud API keys in shell startup files and also embeds them into the mcporter/cos-mcp command arguments.
export TENCENT_COS_SECRET_ID="$SECRET_ID"; export TENCENT_COS_SECRET_KEY="$SECRET_KEY" ... local COS_MCP_ARGS="... --SecretId=$SECRET_ID ... --SecretKey=$SECRET_KEY"
Use a least-privileged Tencent CAM key scoped to only the needed bucket/actions, prefer environment or secret-manager handling over command-line args, and provide cleanup/rotation instructions.
Users have less assurance that the reviewed package identity matches the registry entry they intend to install.
The packaged _meta.json conflicts with the supplied registry metadata, which lists a different owner, slug, and version. That creates a provenance gap for a skill that installs code and handles cloud credentials.
"ownerId": "kn75r0rammt45k8qe5we0sh63580c5y0", "slug": "tencent-cos-skill", "version": "1.0.6"
Reconcile registry and packaged metadata, publish from a verifiable source, and include a homepage/repository so users can confirm provenance.
Future installs could receive different dependency versions than the reviewed artifacts.
External packages are installed without version pins. This is expected for the COS integration, but it makes the installed code depend on current package-registry contents.
node package: mcporter; node package: cos-mcp; node package: cos-nodejs-sdk-v5
Pin dependency versions or provide a lockfile/reproducible install path, especially for setup that handles credentials.
A mistaken key or prefix could delete cloud objects, including many objects at once.
The skill documents object deletion and forced recursive deletion. That is purpose-aligned for storage management, but it is high-impact.
delete | `node scripts/cos_node.mjs delete --key <key>` ... 递归删除 | `coscmd delete -r <cosdir> -f`
Require explicit user confirmation for delete, recursive delete, move, and overwrite operations, and verify exact bucket/key/prefix before running them.
If enabled without network restrictions, other clients that can reach the SSE service may be able to invoke COS operations.
The template includes an optional SSE MCP server carrying COS credentials. It is documented and not the default setup path, but it changes the data boundary from stdio to a listening service.
"cos-mcp-sse": { "command": "npx", "args": ["cos-mcp", "--connectType=sse", "--port=3001"], "env": { "TENCENT_COS_SECRET_KEY": "<替换为腾讯云 API 密钥 Key>" } }Prefer stdio mode unless SSE is needed, bind any SSE server to localhost only, restrict access with firewall controls, and do not expose it to untrusted networks.