Back to skill

Security audit

Tencent Agent Storage

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud-storage skill, but it gives the agent broad authority to upload local files and whole folders to Tencent cloud storage with weak user-confirmation boundaries.

Install only if you specifically want this agent to manage Tencent Agent Storage. Use a dedicated least-privilege SMH token if possible, avoid placing unrelated secrets in the referenced config files, review any Node/npm setup manually, and require the agent to ask before uploading folders or any local files that were not explicitly named.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to install Node.js and dependencies globally using package managers, curl-piped installers, and privileged commands. For a storage skill, this expands its authority from file transfer into system modification and remote code installation, creating a supply-chain and host-compromise risk if triggered automatically or followed blindly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill authorizes reading credentials from unrelated tool configuration files such as ~/.openclaw/openclaw.json and ~/.hermes/.env. Even if it claims to read only smh_* keys, this broadens local file access into other applications' sensitive config stores and increases the chance of credential harvesting, accidental disclosure, or cross-tool secret abuse.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match many ordinary file-related requests, causing the skill to activate in contexts where the user did not clearly request cloud upload or sharing. In a skill that can transmit files externally, overbroad activation materially increases the risk of unintended data exfiltration from local files or generated outputs.

Vague Triggers

High
Confidence
97% confidence
Finding
The implicit trigger rules are especially dangerous because they allow activation based on vague conversational context like any mention of file transfer or the agent needing to deliver output files. That makes cloud upload a default side effect of unrelated workflows, increasing the likelihood of silent or surprising external transmission of sensitive artifacts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This section reinforces mandatory broad activation without adding guardrails, making accidental invocation more likely. In the context of a skill that uploads files and generates shareable links, repeated broad activation language compounds the risk of unintended external transmission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill automatically reads cloud storage credentials from multiple local configuration files and then uses them to communicate with a remote Tencent SMH endpoint, but there is no built-in user-facing disclosure or consent gate in the script itself. In an agent-skill context, silent credential use and implicit remote transmission increase the risk of users unknowingly exposing account-scoped data or triggering cloud operations they did not explicitly approve.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The directory upload command recursively enumerates and uploads every file in a local folder to remote storage once invoked, without any built-in warning, preview, or confirmation of file count, filenames, or total size. In an agent environment, this makes accidental bulk exfiltration much more likely, especially when user intent is ambiguous or a broad path is supplied.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/agent-storage.js:38