ClawHub

Keplerjai Oss Uploader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: uploads selected local files to Alibaba OSS, with a clearly documented optional lifecycle feature that can expire objects under the upload prefix.

Install this only if you intend to let the skill upload files to a specific Alibaba OSS bucket. Use a least-privilege RAM AccessKey, inject secrets through environment variables or SecretRef, and do not enable --sync-lifecycle or KEPLERJAI_OSS_SYNC_LIFECYCLE_ON_UPLOAD unless automatic deletion after the configured number of days is intended for that upload prefix.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior requires reading environment variables and local files to upload content. This creates a transparency and governance gap: operators or users may authorize the skill without understanding that it can access sensitive local paths and injected secrets, increasing the chance of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented primarily as a file uploader, but the documentation also exposes bucket lifecycle management that can create or modify retention/deletion rules. That expands the blast radius from simple upload to potentially destructive storage administration, and a user invoking an upload-related skill may not realize it can alter bucket policy and cause automated object expiration.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file performs bucket lifecycle administration, which is materially broader than the declared skill purpose of uploading local files and returning accessible URLs. That hidden control-plane capability can alter retention behavior for many objects under a prefix and cause unexpected deletion of data, making the mismatch itself security-relevant in an agent skill context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code creates and writes lifecycle rules via put_bucket_lifecycle, an administrative action not justified by an uploader's stated purpose. In practice, this enables the skill to set expiration on objects under a chosen prefix, which can silently destroy retained assets or weaken data-governance expectations if invoked with privileged credentials.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script explicitly manages OSS bucket lifecycle rules, which is an administrative capability outside the stated skill purpose of uploading local files and returning accessible URLs. This expands the skill's authority from object upload into bucket-level policy mutation, increasing the blast radius if the skill is invoked unintentionally or by a malicious prompt/operator.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code loads OSS access credentials and calls sync_upload_prefix_lifecycle to perform Put/GetBucketLifecycle operations, granting bucket-administration powers not needed for simple file upload. In the context of an uploader skill, this hidden extra capability is dangerous because compromised invocation flow or misuse could alter retention/deletion behavior for uploaded objects or other prefixed content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The upload flow can perform bucket lifecycle administration based solely on environment variables, even when the caller did not pass the explicit `--sync-lifecycle` flag. In agent or automation contexts, environment-controlled side effects expand the tool from file upload into bucket policy management, creating unexpected destructive behavior such as premature object expiration across the configured upload prefix.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code path performs bucket lifecycle administration inside a utility whose stated purpose is uploading files and returning URLs. Combining data-plane upload with control-plane bucket policy changes increases blast radius: a compromise, misuse, or misconfiguration of this skill can alter retention behavior for many objects rather than just uploading one file.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is broad enough to activate on common mentions of OSS, static resources, or related terms, which can cause the skill to run in contexts where the user did not intend file upload or cloud-side actions. In a skill that reads local files and uses cloud credentials, over-triggering increases the risk of accidental data transfer or administrative side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill modifies persistent bucket lifecycle configuration without any user-facing warning, approval step, or visible indication beyond a log-style return string after the fact. In an agent setting, silent policy changes are dangerous because users may believe they are only uploading files while the skill also changes deletion behavior for future objects.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal