Skillv1.1.5

ClawScan security

Tencent MPS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 12:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions clearly require Tencent Cloud credentials and COS configuration, but the registry metadata omits those required environment variables and the SKILL.md even suggests workflows that could expose secrets; these inconsistencies and secret-handling guidance are concerning.
Guidance: Key points before installing or using this skill: - This skill's scripts require your Tencent Cloud SecretId and SecretKey (and often COS bucket/region). The registry metadata currently does NOT declare these required env vars — treat that as a red flag and require the publisher to correct it. - Do NOT paste your SecretId/SecretKey into a chat/conversation. SKILL.md suggests the agent can help configure if you send values in the conversation — that would expose secrets to the agent and any logs. Use a secure secret injection mechanism instead (platform secret store, environment variables injected by an admin, or an IAM role with minimal privileges). - Inspect mps_load_env.py and any code that auto-loads environment files before running: the scripts reference loading env from /etc/environment, ~/.profile, etc. Verify what files are read and whether any code writes to or parses arbitrary system files. - Limit credentials: if you must provide keys, create least-privilege credentials scoped to MPS/COS actions only and avoid using owner/administrator keys. Prefer short-lived credentials or COS pre-signed URLs where possible. - Be aware of billing: many operations call Tencent MPS and will incur costs. The SKILL.md reminds about costs — confirm expected costs and test with dry-run (--dry-run) first. - Verify link and TaskId handling: SKILL.md requires Markdown links and explicit TaskId output. Make sure any automation that parses script stdout cannot be coerced to exfiltrate secrets via those outputs. - If you are not comfortable supplying cloud credentials or allowing the skill to read environment files, do not install or run it. Consider running the scripts locally in an isolated environment (container or VM) after manually reviewing the code. If you want, I can: (1) highlight the exact places in the code that read environment files or prompt for secrets, (2) summarize which scripts require which env vars, or (3) suggest minimal IAM policies to limit the provided credentials.
Findings: [no_findings] unexpected: Static pre-scan reported no injection signals, but that does not mitigate the clear metadata vs runtime inconsistencies and the secret-handling guidance in SKILL.md.

Review Dimensions

Purpose & Capability: concernName, description, SKILL.md and included scripts all consistently implement Tencent Cloud MPS functionality (transcode, enhancement, AIGC, COS ops). However the registry metadata declares no required environment variables and no primary credential, while the scripts and SKILL.md clearly need TENCENTCLOUD_SECRET_ID / TENCENTCLOUD_SECRET_KEY and often TENCENTCLOUD_COS_BUCKET/TENCENTCLOUD_COS_REGION. That mismatch between declared requirements and actual code is an incoherence that should be resolved before trusting the skill.
Instruction Scope: concernSKILL.md enforces behavior (only emit python commands, require TaskId reporting, format links as Markdown) and instructs environment setup paths (/etc/environment, ~/.profile, etc.). Critically, SKILL.md suggests users may 'directly send variable values in the conversation, by AI help configure' and the scripts attempt to auto-load environment files. Those instructions encourage secret disclosure and allow the skill to read system environment files — beyond what a benign helper should ask a user to paste into chat.
Install Mechanism: okThere is no remote download or install spec; the package is delivered as local Python scripts. The scripts declare Python dependencies installed via pip (tencentcloud-sdk-python, cos-python-sdk-v5), which is a normal mechanism. No arbitrary external archives or URL-based installers were found in the provided manifest.
Credentials: concernThe skill requires high-sensitivity credentials (Tencent Cloud SecretId/SecretKey) and COS configuration for many operations, plus optional region/bucket vars. Those secrets are essential for the skill's functionality, but they are not declared in the registry metadata and the SKILL.md gives instructions that could lead to insecure handling (auto-load env files, ask users to paste values into chat). Multiple environment variables are requested across scripts (and some scripts call get_cos_presigned_url using secrets), so the scope of secrets is broad and must be treated carefully.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. Nothing in the metadata indicates it modifies other skills or system-wide agent settings. That said, its runtime behavior (reading environment files, suggesting edits to ~/.profile or /etc/environment) means users may be prompted to persist credentials on the host — a user action, not an automatic privilege requested by the skill.