ClawHub

Tencent Cloud COS

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Tencent Cloud storage integration, but it deserves review because it gives an agent broad cloud-changing authority and a raw CI API passthrough without built-in confirmations.

Install only if you intend to let the agent administer Tencent Cloud COS/CI resources. Use STS or a dedicated least-privilege sub-account limited to the exact bucket and CI APIs needed, avoid root or broad long-lived keys, prefer environment variables over persisted `.env`, and manually confirm deletes, batch deletes, ACL/CORS changes, signed URL generation, knowledge-base creation, and any `ci-request` use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The document emphasizes ephemeral credential handling while also providing built-in flows to persist credentials to `.env` or `.env.enc`. This creates a misleading security expectation that can cause users to disclose or store high-value cloud secrets under weaker protection than they believe.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The generic `ci-request` entry point allows arbitrary CI API calls beyond the documented action set. This is dangerous because it expands the skill into a near-unbounded cloud API proxy, increasing the chance of misuse, unintended destructive operations, or access to higher-risk features not covered by the user-facing documentation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `ci-request` action exposes a generic HTTP-capable wrapper around COS CI endpoints, allowing callers to reach arbitrary CI API paths with attacker-controlled method, path, body, and query. This bypasses the skill's otherwise task-scoped action model and can enable unintended privileged operations against Tencent CI services beyond the declared/expected surface area.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims bucket deletion and emptying are forbidden, but only blocks `deleteBucket` while still exposing `delete` and `delete-multiple` for arbitrary object removal. An attacker or mistaken caller can therefore empty a bucket object-by-object, contradicting the stated safety control and undermining operator trust.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are extremely broad, including generic requests like uploading to the cloud, generating download links, or protecting COS keys. Overbroad activation can route unrelated user tasks into a privileged skill that handles shell commands and cloud credentials, increasing the chance of accidental secret handling or unintended state-changing operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents destructive or security-sensitive actions such as delete, ACL/CORS changes, uploads, and knowledge-base creation without a consistent confirmation model. In a cloud-storage context, these operations can alter data exposure, modify access policy, or cause irreversible data loss if invoked accidentally or through prompt confusion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The single-object delete action performs irreversible remote deletion immediately with no confirmation, dry-run mode, or user-facing warning. In an agent setting, that increases the chance of accidental or prompt-induced destructive actions against cloud storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Batch deletion accepts an arbitrary JSON array of keys and deletes them in one call without any confirmation or safeguard. This makes large-scale accidental or induced data loss much more likely, especially because the skill is designed for broad bucket management and cloud file operations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal