ClawHub

Aliyun Oss

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Aliyun OSS uploader, but it should be used carefully because it uploads files to cloud storage and uses OSS credentials.

Install only if you intend to connect this skill to an Aliyun OSS bucket. Use a dedicated least-privilege RAM user, protect `/root/.openclaw/aliyun-oss-config.json`, avoid broad ListObjects permissions where possible, do not use public-read mode for sensitive files, and verify whether any shared link is actually presigned and temporary before sending it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior frames the skill as a secure uploader with temporary links, but the analyzed behavior indicates broader object enumeration, possible public-read exposure, and reliance on long-lived AK/SK credentials. This mismatch is dangerous because users may trust the tool with sensitive files under the assumption of temporary, limited-access sharing, while the actual behavior can enable persistent exposure or broader bucket visibility.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises only upload and temporary link generation, but it also implements object search over the bucket. This expands capability beyond the declared purpose and can expose users to unintended metadata disclosure or bucket content discovery, especially in agent environments where tool permissions should be tightly scoped.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The search_file_by_name function iterates objects in the bucket and returns matching keys, sizes, timestamps, and presigned URLs. This is effectively bucket enumeration capability, which is more sensitive than simple upload functionality and can leak object existence and access paths to users or downstream agents.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code returns a standard OSS object URL, which may be long-lived or publicly accessible depending on bucket/object ACLs, instead of a time-limited signed URL as the description promises. This can cause unintended persistent exposure of uploaded media and mislead downstream users into thinking access is temporary and safer than it really is.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module documentation states that it handles temporary access links, but the implementation only uploads the file and returns a standard URL plus advice to use the console manually. This security-documentation mismatch is dangerous because integrators may rely on the stated temporary-link behavior and accidentally expose uploaded content more broadly than intended.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill encourages uploading files to Alibaba Cloud and sharing generated links but does not clearly disclose that user data leaves the local environment or explain the privacy consequences of exposing URLs. In a file-upload skill, insufficient disclosure can lead to accidental transfer of confidential data to a third-party cloud service and unintended sharing of that data.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function uploads a user-supplied local file to Alibaba Cloud OSS immediately, without any user-facing disclosure or confirmation in the transfer path. In an agent skill context, this is risky because a caller may believe the tool is performing local media handling while it is actually exfiltrating file contents to a remote cloud service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal