ClawHub

Tencent Cloud Image Hosting (Upload files to get online URLs)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Tencent COS upload helper, but users should only provide scoped Tencent credentials and intentionally chosen files because it uploads them and prints access URLs.

Before installing or using this skill, verify the Tencent COS SDK dependency, use a dedicated least-privilege Tencent credential, avoid command-line secrets when possible, and upload only files you intend to place in COS. Remember that uploaded objects may persist until deleted and signed URLs can grant access for 24 hours.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A mistaken file path could upload the wrong local file to cloud storage and produce shareable URLs for it.

Why it was flagged

The tool uploads whichever local file path is passed to a Tencent COS bucket. This is central to the skill, but it means file choice should remain explicit and user-directed.

Skill content
cos.uploadFile({
        Bucket: options.bucket,
        Region: options.region,
        Key: cosKey,
        FilePath: filePath,
Recommendation

Use the skill only for files you intentionally want to upload, and review bucket privacy settings and generated URLs before sharing them.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Using an over-privileged Tencent Cloud key could expose more account authority than this uploader needs.

Why it was flagged

The skill requires Tencent Cloud API credentials. This is expected for COS uploads, but those credentials can carry broader account permissions if not scoped.

Skill content
`TENCENT_SECRET_ID` | Yes | Tencent Cloud API Secret ID |
| `TENCENT_SECRET_KEY` | Yes | Tencent Cloud API Secret Key |
Recommendation

Use a dedicated least-privilege key restricted to the intended bucket and operations, avoid passing secrets on the command line when possible, and rotate credentials if exposed.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A user may need to install the SDK separately, so dependency source and version should be checked before use.

Why it was flagged

The script depends on an external Node package, while the provided artifacts include no package manifest, lockfile, or install spec pinning its version or provenance.

Skill content
const COS = require('cos-nodejs-sdk-v5');
Recommendation

Install the official Tencent COS SDK from a trusted package registry, pin the version where possible, and verify the packaged script path before running it.