Tencent Agent Storage

Security checks across malware telemetry and agentic risk

Overview

This cloud-storage skill mostly matches its stated purpose, but it has broad activation rules and can upload local files or folders using high-privilege credentials with too little built-in user control.

Review carefully before installing. Only use this skill if you trust it with your Tencent Agent Storage account and with files you explicitly choose to upload. Prefer dedicated, limited SMH credentials in ~/.tencentAgentStorage/.env, avoid relying on broader OpenClaw or Hermes config, and confirm exact file paths, folder sizes, destinations, and sharing behavior before uploads, especially uploadDir. The installer guidance should be handled manually by an administrator rather than letting an agent run sudo, curl, or global npm commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup section instructs the agent to install Node.js and dependencies using privileged system commands, including sudo and administrator-level package installation. For a storage skill, this expands the blast radius from file management into host modification and remote code supply-chain execution, especially when combined with curl-piped installation flows.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill reads agent-wide configuration sources such as `~/.openclaw/openclaw.json` and `~/.hermes/.env` to obtain credentials, which expands its trust boundary beyond its own dedicated config. In an adversarial skill setting, this enables cross-context credential harvesting and use of secrets that the user may not expect this skill to access.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger phrases for uploads, backups, and sending files are broad enough to match common conversational requests, causing the skill to activate in contexts where the user did not clearly intend cloud transfer. In a skill that can upload local files and generate external links, over-triggering materially increases the risk of unintended data exposure.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Search phrases such as '搜一下', '找一下', and '查找' are generic and can collide with ordinary assistant requests unrelated to cloud storage. Because the skill can enumerate personal cloud contents, accidental activation may reveal file names, metadata, or presence of sensitive documents without sufficiently specific user intent.

Vague Triggers

High

Confidence: 97% confidence
Finding: The implicit triggers are extremely broad, including any task producing output files or any mention of file transfer or personal file space. This creates a pathway for silent or premature uploads of generated or local content, making unintended external transmission much more likely in normal assistant workflows.

Vague Triggers

High

Confidence: 93% confidence
Finding: The 'When to Use' section reinforces mandatory activation on ambiguous phrases, increasing the chance that the skill overrides safer default handling by the agent. In context, this is particularly risky because the skill can read credentials, access cloud contents, and publish download links.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code silently loads `libraryId`, `spaceId`, and `accessToken` from local config files and uses them to authenticate remote storage operations, without any user-facing notice or consent flow. In a skill ecosystem, undisclosed secret access is risky because it obscures what credentials are being consumed and can facilitate unauthorized data access or exfiltration.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This command uploads an arbitrary local file to Tencent SMH and then returns a downloadable link, but the code provides no built-in confirmation or warning that local content will leave the device. Because the skill is broadly triggerable for file-delivery intents, accidental or overly broad uploads are plausible if higher-level prompting is ambiguous.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The directory-upload path recursively enumerates and uploads all files under a local folder, which can transmit large amounts of potentially sensitive data to the remote service without any built-in user acknowledgment. In this skill's context, broad implicit triggers around backup, delivery, and cloud storage make mass exfiltration more dangerous than a single-file transfer.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal