Tencent Cloud COS

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud COS skill is a real, disclosed cloud-storage integration, but it needs review because it can delete cloud data, change bucket settings, persist/decrypt credentials locally, and send broad CI API requests with limited guardrails.

Install only if you intend this agent to manage Tencent Cloud COS/CI resources. Use a dedicated least-privilege sub-account or short-lived STS credentials, avoid root or broad permanent keys, and do not grant delete or bucket-admin rights unless needed. Treat delete, delete-multiple, bucket setting changes, decrypt-env, and ci-request as high-risk operations and verify targets and request bodies before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (16)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documents extensive shell execution (`setup.sh`, `node`, `export`, npm install) while the manifest does not declare corresponding permissions/capabilities. This creates a trust gap for reviewers and users because the skill can perform local system actions beyond what its declared interface suggests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose emphasizes COS/CI cloud operations, but the behavior also includes local environment setup, npm project initialization, writing secrets to `.env`, modifying `.gitignore`, and handling encrypted local credential files. This mismatch makes the skill more dangerous because users may consent to cloud storage actions without realizing it also alters the local project and credential state.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest security metadata says credentials are ephemeral and not written to disk, yet the documentation explicitly supports persistent `.env` storage and `.env.enc` handling. Inconsistent security claims can mislead users into providing sensitive cloud credentials under false assumptions about storage and retention.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The skill claims to forbid bucket deletion/emptying, but the generic `ci-request` entry point allows arbitrary API calls, which undermines the stated safety boundary. Even if CI endpoints are intended, a generic escape hatch weakens assurance that dangerous or unsupported operations are blocked.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Embedding credential encryption/decryption management inside a storage-processing skill expands its access to sensitive local secret material beyond the core cloud-operation use case. This increases attack surface because the skill can manipulate and recover locally stored credentials, not just use ephemeral runtime secrets.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The `ci-request` action exposes a generic arbitrary CI API request primitive that accepts attacker-controlled method, path, body, and query values. This expands the skill beyond narrowly scoped task actions into a near raw API proxy, enabling invocation of undocumented or higher-risk operations the surrounding safety model did not explicitly review.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are extremely broad, including generic requests like uploading to the cloud, generating download links, processing images, or building a knowledge base. Overbroad triggering can cause the skill to activate unintentionally and perform cloud actions, data transfer, or setup steps in contexts where the user did not intend Tencent Cloud COS usage.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents destructive and sensitive actions such as deleting files, bulk deletion, and persisting credentials, but does not require explicit confirmation or present prominent risk warnings at the point of action. This makes accidental data loss or unsafe secret handling more likely during normal conversational use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The knowledge-base shortcuts allow natural-language requests to trigger document upload and search workflows without an explicit privacy or data-egress notice. In this context, users may unknowingly send local documents or sensitive text to Tencent Cloud services and indexing pipelines.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: These sections describe remote retrieval and a generic CI request interface that can send arbitrary paths, bodies, and query data to Tencent Cloud endpoints, but they do not clearly warn users that supplied image URIs, text, or request bodies are transmitted to external services. In a skill that handles files, knowledge-base content, OCR, moderation, and media processing, this omission can lead to inadvertent disclosure of sensitive data or use of the generic request primitive to exfiltrate user-provided content to cloud APIs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The single-object deletion path performs destructive remote deletion immediately when given `--key`, with no confirmation, dry-run, or explicit safeguard. In an agent setting, misinterpretation of user intent or prompt manipulation could cause irreversible data loss in the configured bucket.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Bulk deletion accepts a JSON array of keys and deletes them without any confirmation barrier, preview, or limit. This materially increases blast radius because a malformed input, prompt injection, or agent mistake can remove many objects at once.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: `decrypt-env` restores secrets to plaintext `.env` on disk, which weakens the protection model and may leave credentials exposed to local compromise, backups, editor plugins, or accidental commits. The function's success message notes the file creation, but there is no strong warning, interactive confirmation, or safer ephemeral alternative.

Credential Access

High

Category: Privilege Escalation
Content: | | `upload` → 指向知识库桶 | "上传到知识库" → 上传文档 | | | `hybrid-search` → 指向知识库数据集 | "查询知识库" → 语义检索文档内容 | | **🚫 禁止** | ~~deleteBucket~~ | **不允许删除/清空存储桶** | | **🔐 凭证管理** | `encrypt-env` | 加密 .env → .env.enc 并删除明文 | | | `decrypt-env` | 解密 .env.enc → .env 还原明文 | ## 安全注意事项
Confidence: 88% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: | | `hybrid-search` → 指向知识库数据集 | "查询知识库" → 语义检索文档内容 | | **🚫 禁止** | ~~deleteBucket~~ | **不允许删除/清空存储桶** | | **🔐 凭证管理** | `encrypt-env` | 加密 .env → .env.enc 并删除明文 | | | `decrypt-env` | 解密 .env.enc → .env 还原明文 | ## 安全注意事项
Confidence: 88% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: - 密钥派生：`SHA-256(hostname + username + 项目绝对路径)` - **加密文件绑定当前机器和用户**，拷贝到其他机器/用户无法解密 - 如需还原明文：`node scripts/cos_node.mjs decrypt-env` - 清理凭证：`rm -f .env .env.enc` **其他安全要求**： - **永远不要在对话中回显** SecretId/SecretKey
Confidence: 86% confidence
Finding: .env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal