Back to skill

Security audit

cos-vectors-skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Tencent COS vector-storage admin skill, but it defaults to insecure HTTP and allows high-impact cloud changes without strong safety controls.

Review carefully before installing. Use only least-privilege Tencent Cloud credentials, prefer environment variables or a secret manager instead of command-line secrets, explicitly set HTTPS, and avoid using this against production buckets unless your agent workflow requires clear approval before deletes, policy changes, or bulk data operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README advertises very broad natural-language trigger phrases such as creating, listing, searching, and deleting vector resources, which can cause the skill to activate in contexts where the user did not intend an actual cloud operation. In an agent setting tied to real Tencent Cloud APIs, ambiguous invocation increases the chance of unintended reads, writes, or destructive actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents deletion of vector buckets without any warning about permanence, prerequisites, or confirmation expectations. In a skill designed for automated execution, this omission raises the risk that users or agents trigger irreversible destructive operations without understanding the impact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README shows passing SecretId and SecretKey directly on the command line, which can expose credentials through shell history, process listings, terminal logging, or CI job logs. Because these are cloud credentials for a storage/vector service, exposure could enable unauthorized access, modification, or deletion of cloud data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to provide SecretId and SecretKey directly, but it does not warn that these are highly sensitive credentials or instruct users not to paste them into chat, logs, or shared transcripts. In an agent setting, this is dangerous because users may disclose long-lived cloud credentials into insecure channels, enabling account compromise and unauthorized access to COS resources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes destructive operations such as deleting vector buckets without any confirmation, backup, or irreversibility warning. In this context, the skill manages production data stores and indexes, so omission of safeguards materially increases the chance of accidental data loss from operator error or unsafe automation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill documents HTTP as the default transport while simultaneously requiring cloud API credentials. Sending SecretId and SecretKey over HTTP exposes them to interception and tampering via man-in-the-middle attacks, which could lead to full compromise of the associated COS account and data operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage example explicitly instructs operators to pass `--secret-id` and `--secret-key` on the command line, which can expose credentials through shell history, process listings, logging, and audit tooling. In a cloud-management skill that performs privileged COS operations, this materially increases the chance of credential leakage and subsequent unauthorized access to buckets and vector data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an irreversible destructive operation against a cloud storage vector bucket immediately after parsing CLI arguments, with no explicit confirmation prompt, dry-run mode, or safeguard visible in this file. In an infrastructure-management skill whose purpose is to create and delete production resources, this increases the chance of accidental or automated deletion from operator error, mis-targeted parameters, or unsafe agent invocation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script performs an irreversible destructive action by deleting vectors specified on the command line without any interactive confirmation, dry-run mode, or additional guardrail. In an agent-skill context, especially one exposing lifecycle management for vector buckets and indexes, accidental invocation, malformed key input, or prompt-driven misuse could cause unintended data loss at scale.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script documentation instructs users to pass cloud SecretId and SecretKey directly on the command line, which can expose credentials through shell history, process listings, audit logs, and orchestration tooling. In a cloud-management skill that operates on COS vector buckets and policies, leaked credentials could enable unauthorized access to bucket metadata and potentially broader cloud resources tied to the same account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script usage explicitly requires passing SecretId and SecretKey as command-line arguments, which can expose credentials through shell history, process listings, audit logs, and CI job output. In a cloud management skill that performs vector bucket and index operations, this increases the chance of credential leakage leading to unauthorized access to COS resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script allows callers to request raw vector data and metadata and then emits the returned content directly in its success output, with no warning, masking, or confirmation step. In a vector storage management skill, metadata and embedded content may contain sensitive business data, personal information, or proprietary embeddings, so this increases the risk of inadvertent disclosure through logs, terminal history, or downstream agent outputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script directly applies a bucket access policy, which is a security-sensitive and potentially destructive operation, without any user-facing warning, dry-run mode, or confirmation step. In the context of a COS vector-bucket management skill, this increases the chance of accidental over-permissive policies or lockout conditions that could expose data or disrupt access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script explicitly documents and accepts cloud credentials via command-line parameters, which can expose secrets through shell history, process listings, audit logs, and orchestration tooling. In a Tencent COS vector-bucket administration skill, these credentials likely grant access to sensitive storage and vector data operations, so accidental disclosure can lead to unauthorized access or destructive actions.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.