ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cos_Uploader_Qcloud_lh

v1.0.0

通过微信接收照片,自动上传到腾讯云 COS 低频存储,按年月归档管理

0· 61·0 current·0 all-time
by@jingronzhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, code files, and required runtime (Python + COS SDK) all match the claimed purpose (receiving images and uploading to Tencent COS). Minor metadata mismatch: the registry record said "instruction-only" / no install spec, but the package actually includes install.sh, run.sh and Python modules (i.e., it's a code bundle that installs a virtualenv and pip packages).
!
Instruction Scope
The runtime instructions and implementation parse a file path out of the OpenClaw message and then open and upload that file. There is no path whitelisting or additional validation: both the --file debug mode and the automatic flow will upload any local file path that the message contains. If an attacker or misconfigured OpenClaw can supply a message containing an arbitrary filesystem path, this could be used to exfiltrate sensitive files. The skill also logs to a logs/ directory and writes encrypted config + encryption key under scripts/conf/ (see environment_proportionality).
Install Mechanism
There is no remote arbitrary download: install.sh creates a venv and installs well-known PyPI packages listed in scripts/requirements.txt (cos-python-sdk-v5, cryptography). package.sh and install.sh are standard shell scripts. No URL shorteners or external binary fetches were used. The install is local and traceable.
Credentials
The only secrets requested are Tencent COS SecretId/SecretKey, which are appropriate for the stated function. The skill encrypts them with Fernet and stores both the encrypted blob (cos_secret.enc) and the Fernet key (.encryption_key) under scripts/conf/ with restrictive file permissions (600). This is expected but worth noting: storing the encryption key on the same host (and in the same skill directory) means filesystem compromise or overly-broad host access still allows decryption. The code also contains a hardcoded OpenClaw media directory (/root/.openclaw/media/inbound) — it's not an external credential but is a hardcoded path assumption that may imply it expects root-style paths.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It creates directories and files inside its own skill directory (scripts/conf, scripts/logs) which is normal. The agent can invoke the skill autonomously by default (platform default) — combine with the instruction-scope concern if you allow autonomous invocation.
What to consider before installing
This skill appears to do what it says (upload WeChat-received photos to Tencent COS), but consider the following before installing: - Risk of local-file exfiltration: the skill will upload any file path it is given (via the OpenClaw message or the --file debug flag). Ensure OpenClaw only passes legitimate media cache paths and that untrusted inputs cannot supply arbitrary filesystem paths. - Limit COS credentials: use a scoped subaccount (least privilege) that only has the minimal COS permissions (bucket write) the skill needs; do not use root or high-privilege keys. - Protect the host and skill directory: the encrypted config and the encryption key are stored on the same host under scripts/conf/. If an attacker gains filesystem access they can decrypt secrets. Restrict access (file permissions and OS-level controls) to the skill directory and logs. - Review and test: inspect the scripts locally, run install in a controlled environment, and test uploads with non-sensitive test files first. - Consider invocation policy: if your platform allows it, restrict autonomous invocation of this skill or add additional validation (e.g., only accept files from a verified OpenClaw channel) to reduce the attack surface. If you want, I can point out exact lines to change to add a path whitelist, stricter mime checks, or to avoid storing the Fernet key on disk in the same folder.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aa13n3078y57nhenqxt9xh983ncjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments