Tencent COS
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the supplied Tencent Cloud key is over-scoped or permanent, the skill could affect more buckets, data, or services than the user intended.
The skill requires critical Tencent Cloud API credentials so it can act on the user's COS and CI resources.
"SecretId" ... "sensitivity": "critical" ... "scope": "COS object storage and CI data processing APIs"
Use STS temporary credentials or a Tencent Cloud sub-account with least-privilege, bucket-scoped COS/CI permissions; do not use root account keys.
A mistaken or over-broad request could create processing jobs, alter cloud-side data, or perform less obvious CI operations under the user's Tencent Cloud account.
The skill exposes a generic CI API request action in addition to named workflows, allowing broad provider-side operations for the configured bucket.
ci-request — 通用 CI API 请求 ... --method ... --path ... --body ... 请求自动发送到 `https://{Bucket}.ci.{Region}.myqcloud.com/{path}`Prefer named actions where possible and require explicit user confirmation before delete operations, bucket-setting changes, signed URL sharing, or generic `ci-request` calls.
The installed package version may vary over time, which can affect reproducibility and supply-chain assurance.
The setup script installs the COS SDK from npm during setup without a version pin in the script.
npm install cos-nodejs-sdk-v5 --no-progress
Install from the official/trusted npm registry, consider pinning the SDK version, and review lockfiles/package integrity for production use.
Files selected for upload or processing will leave the local machine and be stored or processed in Tencent Cloud.
The upload action sends local file contents to the configured Tencent COS bucket, which is expected for this cloud-storage skill.
cosPromise("putObject", { Key: key, Body: createReadStream(filePath), ContentLength: statSync(filePath).size })Verify the target bucket, region, object key, retention/access policies, and file contents before uploading sensitive data.