ClawHub
Back to skill

Security audit

Tencent COS

Security checks across malware telemetry and agentic risk

Overview

This Tencent cloud storage skill is mostly coherent, but it gives broad cloud-data authority, including unconfirmed deletion and arbitrary Tencent CI API calls, and can activate even when the user did not explicitly choose Tencent Cloud.

Install only if you intentionally want a Tencent COS/CI integration and can provide least-privilege Tencent sub-account or STS credentials. Avoid using root or broad permanent keys, confirm every upload/delete/indexing action yourself, and be especially cautious with delete-multiple, ci-request, and decrypt-env. Generic requests like 'upload to cloud' should be treated as requiring explicit provider confirmation before this skill runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `ci-request` action is a generic signed proxy to arbitrary CI API paths and methods, which bypasses the skill’s task-scoped interface and exposes any CI capability reachable by the configured credentials. In an agent setting, this materially expands the attack surface because a prompt or tool caller can invoke undocumented or higher-risk backend operations without additional validation, policy checks, or allowlisting.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code claims bucket deletion and emptying are forbidden, but still exposes `delete-multiple`, which can be used to effectively empty large portions of a bucket by repeated calls. This is dangerous because the safety guarantee is misleading and may cause operators or downstream agents to assume destructive deletion is blocked when it is not.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are so broad that ordinary requests like uploading files to the cloud, creating a knowledge base, OCR, or image processing may activate this Tencent-specific skill even when the user did not intend to use Tencent Cloud. Overbroad activation can route unrelated user files and prompts into a credentialed cloud integration, increasing the chance of accidental data transfer, unintended billing, and misuse of configured cloud access.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill explicitly instructs activation even when the user does not mention COS or Tencent Cloud. That makes the activation boundary ambiguous by design and is more dangerous than generic broad keywords because it authorizes provider-specific, credential-backed actions based on loosely similar intent alone. In a cloud-storage and knowledge-base skill, this can cause unanticipated exfiltration of user files/content to Tencent services and unexpected charges.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The generic `ci-request` capability enables callers to send arbitrary methods, paths, bodies, and query parameters to a remote Tencent CI endpoint, effectively exposing a raw request primitive. In an agent skill context, this broad, lightly constrained interface increases the risk of unintended sensitive-data transmission, misuse of high-impact CI actions, and bypass of safer action-specific guardrails.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The single-object delete action performs remote deletion immediately with no confirmation, warning, or safeguard. In an agent-integrated skill, this raises the risk of accidental or prompt-induced destructive operations against cloud data using valid credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Bulk deletion accepts an arbitrary JSON list of keys and executes immediately without any user warning or confirmation, enabling rapid destructive changes at scale. In this skill’s cloud-storage context, that can result in widespread data loss if triggered accidentally or by a malicious prompt/tool invocation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
`decrypt-env` writes plaintext cloud credentials back to `.env` on disk without an explicit warning, interactive confirmation, or ephemeral handling. That increases secret exposure risk because plaintext credentials may be left behind, copied, indexed, or later committed accidentally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.