Tencent COS
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tencent-cos-skill Version: 1.1.7 This skill bundle provides a comprehensive integration for Tencent Cloud COS and CI services, allowing for file management, AI image processing, and knowledge base creation. It includes a setup script (setup.sh) and a Node.js dispatcher (cos_node.mjs) that utilizes the official Tencent Cloud SDK (cos-nodejs-sdk-v5). While the skill handles sensitive API credentials and supports local persistence in a .env file, it implements security measures such as chmod 600 permissions, automatic .gitignore updates, and an optional AES-256-GCM encryption mechanism for stored secrets. All network activity is directed to legitimate Tencent Cloud endpoints (e.g., myqcloud.com), and no evidence of malicious intent or data exfiltration was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the supplied Tencent Cloud key is over-scoped or permanent, the skill could affect more buckets, data, or services than the user intended.
The skill requires critical Tencent Cloud API credentials so it can act on the user's COS and CI resources.
"SecretId" ... "sensitivity": "critical" ... "scope": "COS object storage and CI data processing APIs"
Use STS temporary credentials or a Tencent Cloud sub-account with least-privilege, bucket-scoped COS/CI permissions; do not use root account keys.
A mistaken or over-broad request could create processing jobs, alter cloud-side data, or perform less obvious CI operations under the user's Tencent Cloud account.
The skill exposes a generic CI API request action in addition to named workflows, allowing broad provider-side operations for the configured bucket.
ci-request — 通用 CI API 请求 ... --method ... --path ... --body ... 请求自动发送到 `https://{Bucket}.ci.{Region}.myqcloud.com/{path}`Prefer named actions where possible and require explicit user confirmation before delete operations, bucket-setting changes, signed URL sharing, or generic `ci-request` calls.
The installed package version may vary over time, which can affect reproducibility and supply-chain assurance.
The setup script installs the COS SDK from npm during setup without a version pin in the script.
npm install cos-nodejs-sdk-v5 --no-progress
Install from the official/trusted npm registry, consider pinning the SDK version, and review lockfiles/package integrity for production use.
Files selected for upload or processing will leave the local machine and be stored or processed in Tencent Cloud.
The upload action sends local file contents to the configured Tencent COS bucket, which is expected for this cloud-storage skill.
cosPromise("putObject", { Key: key, Body: createReadStream(filePath), ContentLength: statSync(filePath).size })Verify the target bucket, region, object key, retention/access policies, and file contents before uploading sensitive data.