ClawHub
Back to skill

Security audit

Tencent Cloud COS

Security checks across malware telemetry and agentic risk

Overview

This is a real Tencent Cloud COS/CI skill, but it gives an agent broad cloud mutation and data-processing authority with weak scoping and confirmation controls.

Install only if you intend to let the agent operate Tencent Cloud COS/CI resources. Use a least-privilege Tencent sub-account or STS token, avoid root credentials, prefer ephemeral environment variables, and confirm before uploads, signed links, deletes, ACL/CORS changes, knowledge-base creation, document indexing, or generic ci-request calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation claims credentials are 'default non-persistent' while also promoting persistence to `.env` and encrypted storage, which can mislead users about actual secret-handling behavior. Ambiguous safety claims around credentials increase the chance that sensitive cloud keys are stored locally without fully informed consent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
`encrypt-env` and `decrypt-env` are local secret-management features outside the core COS/CI business operations and materially expand the skill's power over local credentials. Contextually, this makes the skill more dangerous because a cloud-storage helper now also creates, transforms, and restores secret files on disk, increasing attack surface and user confusion.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The generic `ci-request` action allows callers to hit arbitrary CI API paths with attacker-controlled method, body, and query data, effectively bypassing the skill's intended action-level restrictions. In an agent skill context, this broad escape hatch can expose undocumented or higher-risk cloud operations and makes review of the declared feature set ineffective.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code comments claim deletion and bucket emptying are forbidden, but the implementation only blocks `deleteBucket` while still exposing `deleteObject` and bulk deletion via `deleteMultipleObjects`. This mismatch is dangerous because operators and downstream agents may rely on the safety claim and unknowingly perform destructive data-loss actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases include broad natural-language intents such as uploading to the cloud, generating download links, or protecting COS keys, which can cause the skill to activate outside narrowly intended Tencent COS scenarios. Overbroad activation is risky because this skill can then request credentials, perform shell setup, and manipulate cloud or local resources when the user may have meant something more general.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The knowledge-base and search triggers are not clearly limited to Tencent Cloud-backed implementations, so generic requests like 'build a knowledge base' may route to this skill unintentionally. In this skill's context, mistaken activation is more serious because it may lead to cloud account setup, dataset creation, document upload, and indexing of user content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents uploads, deletions, moderation, OCR, and speech processing without a clear user-facing warning that files and content may be transmitted to Tencent Cloud services for storage and analysis. This is dangerous because users may unknowingly send sensitive documents, media, or personal data to third-party cloud processing pipelines.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The knowledge-base workflow omits a clear warning that uploaded documents are stored remotely and indexed for later semantic retrieval, potentially exposing sensitive content beyond the user's expectations. In this context, the risk is heightened because the feature is marketed as a convenient natural-language shortcut, which can make users overlook the persistence and searchability of their data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The reference documents actions that can delete data, upload/download local and remote content, and send arbitrary requests to Tencent CI via the generic `ci-request` endpoint, but it provides no safety guidance, confirmation requirements, or warnings about data exposure and destructive effects. In an agent skill context, this increases the chance that the agent will perform risky cloud operations or exfiltrate user content without the user understanding the consequences.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
`decryptEnvAction` writes decrypted cloud credentials back to a plaintext `.env` file immediately, without an interactive confirmation step or a stronger warning before materializing secrets on disk. In shared workstations, CI runners, or agent-managed environments, this increases the chance of credential exposure through accidental commits, backups, or local file disclosure.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill exposes destructive object deletion operations without any confirmation flow, dry-run, or user-facing warning. In an agent setting, where actions may be triggered from natural-language requests, this creates an elevated risk of unintended irreversible data deletion.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.