腾讯云COS存储
v1.1.1腾讯云对象存储(COS)和数据万象(CI)集成技能。覆盖文件存储管理、AI处理和知识库三大核心场景。 存储场景:上传文件到云端、下载云端文件、批量管理存储桶文件、获取文件签名链接分享、查看文件元信息。 图片处理场景:图片质量评估打分、AI超分辨率放大、AI智能裁剪、二维码/条形码识别、添加文字水印、获取图片EXI...
⭐ 0· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill implements COS and CI operations using the official cos-nodejs-sdk-v5 and asks for COS credentials (SecretId/SecretKey and optional STS Token), Region and Bucket — all expected for the stated purpose. However the registry summary at the top of the package metadata (Required env vars: none, Primary credential: none) contradicts the SKILL.md's embedded metadata which explicitly requires secrets and config. This metadata mismatch should be resolved before trusting automated installers.
Instruction Scope
SKILL.md and scripts direct the agent to install the Node SDK, prompt the user for COS credentials, and run a local Node script to perform COS/CI operations. The runtime instructions do request credentials and optionally persist them to a local .env/.env.enc file, but do not instruct the agent to read unrelated system files or transmit data to non-Tencent endpoints. The actions (upload, download, CI jobs, content-audit, MetaInsight, etc.) are within the declared scope.
Install Mechanism
Install uses npm to install cos-nodejs-sdk-v5 (package named explicitly). This is a standard package registry install — moderate but expected risk for a Node.js integration. There are no downloads from arbitrary URLs, no extract-from-remote steps, and no obfuscated installers.
Credentials
The skill legitimately needs cloud credentials (SecretId/SecretKey; Token optional) and config (Region, Bucket). That access is proportional to the capability. Two things to note: (1) the top-level registry metadata claims no required env vars while SKILL.md requires them — an inconsistency that could mislead users or automated checkers; (2) the setup flow offers optional persistence of secrets to a local .env (permission 600) and an encrypted .env.enc based on machine+user+project-derived key — persistence is optional but increases exposure if misused.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It may persist credentials to project-local .env or .env.enc files (explicit --persist), which is limited in scope to the project directory. The .env.enc uses a key derived from host+user+path to prevent reuse elsewhere, which is reasonable but could make recovery harder if you move machines.
Assessment
This skill appears to be what it claims: a Tencent COS + CI integration implemented with the official Node SDK. Before installing, check these points: 1) Metadata mismatch — the registry summary shows no required env vars but the SKILL.md requires SecretId/SecretKey (and optional Token), Region and Bucket. Treat SKILL.md as authoritative but confirm with the publisher. 2) Use least-privilege credentials: create a sub-account with COS-only permissions and prefer STS temporary credentials (recommended by the skill). 3) Avoid using --persist unless you understand the tradeoffs; if you persist, the script writes a local .env (permissions 600) and can create a machine-bound .env.enc — make backups if you need portability. 4) Verify npm package provenance (cos-nodejs-sdk-v5) and run npm install in an isolated/project-local environment (not system-wide). 5) Because source/homepage are unknown, prefer running this in a controlled environment (container or dedicated user) the first time and review network traffic if you need to be extra cautious. If you want, provide the registry owner/homepage or a checksum of cos_node.mjs for further verification.Like a lobster shell, security has layers — review code before you run it.
latestvk974jyyt3gjjr3kztcar9xzf01844s3p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
ConfigRegion, Bucket
Install
Install COS Node.js SDK
npm i -g cos-nodejs-sdk-v5