Tencent Cloud Image Hosting (Upload files to get online URLs)

Upload files to Tencent Cloud COS (Cloud Object Storage). Use when the user needs to upload images, documents, or any files to Tencent Cloud COS. Supports en...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 176 · 0 current installs · 0 all-time installs

by@parsonssss

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's name/description and the included script align: it uploads a user-specified file to Tencent Cloud COS and generates direct and pre-signed URLs. However, the registry metadata lists no required environment variables or primary credential, while SKILL.md and the script require TENCENT_SECRET_ID, TENCENT_SECRET_KEY, TENCENT_COS_BUCKET, and TENCENT_COS_REGION. That metadata omission is an incoherence that could mislead users about needed secrets.

✓

Instruction Scope

SKILL.md and scripts/cos-upload.js restrict actions to reading the specified local file, using provided Tencent credentials, and calling the official COS SDK to upload and generate URLs. The instructions do not instruct the agent to read unrelated files or send data to unexpected third-party endpoints. The script does not contain obfuscated or hidden network endpoints.

ℹ

Install Mechanism

There is no install specification. The script requires the npm package 'cos-nodejs-sdk-v5' (require call present), but the skill does not declare or install that dependency. This is an operational mismatch (may fail at runtime) rather than an obvious malicious install mechanism, but you should ensure dependencies are installed from official registries before running.

Credentials

The credentials requested by the SKILL.md/script (Tencent SecretId/SecretKey, bucket, region) are proportionate to uploading objects to COS. The concern is that the skill registry metadata does not declare these required environment variables or a primary credential; that inconsistency can cause users to overlook that they must provide sensitive secrets to the skill.

✓

Persistence & Privilege

The skill is user-invocable, always:false, and does not request persistent or elevated platform privileges. The script does not modify other skill configs or system-wide settings.

What to consider before installing

This skill appears to do what it claims (upload files to Tencent COS) but has two practical red flags: (1) the registry metadata does not declare the required Tencent credentials even though SKILL.md and the script require them, and (2) there is no install spec for the npm dependency 'cos-nodejs-sdk-v5'. Before installing or running: 1) Review the included script (you already have it) and confirm it only uploads the file you expect. 2) Do not provide your long-lived root credentials—create a Tencent Cloud key with minimal COS permissions scoped to the specific bucket and actions needed. 3) Install the COS SDK from the official npm registry (npmjs.com) or run in an isolated environment/container. 4) Avoid uploading sensitive files unless you control the target bucket and understand its access policy. 5) If you plan to rely on this as an automated skill, request that the publisher update the registry metadata to declare required env vars and add an explicit install section so you can audit dependency sources.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97bpqzfg0kqeasm3ndg58bm3182b2nv

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

COS Upload

Upload files to Tencent Cloud COS (腾讯云对象存储) with automatic URL generation.

Quick Start

Method 1: Using Environment Variables

Set these environment variables:

export TENCENT_SECRET_ID=your-secret-id
export TENCENT_SECRET_KEY=your-secret-key
export TENCENT_COS_BUCKET=your-bucket-name
export TENCENT_COS_REGION=ap-guangzhou
export TENCENT_COS_PATH=uploads/  # optional

Then upload:

node cos-upload.js /path/to/file.png

Method 2: Using Command Line Arguments

node cos-upload.js /path/to/file.png \
  --secret-id AKIDxxx \
  --secret-key xxx \
  --bucket my-bucket-1250000000 \
  --region ap-guangzhou \
  --path images/

Output

On successful upload, returns:

Direct URL: https://{bucket}.cos.{region}.myqcloud.com/{key}
Signed URL: Pre-signed URL with 24-hour expiration (for private buckets)
COS Key: The object key in the bucket

Configuration Priority

Command line arguments (highest priority)
Environment variables
Default values

Environment Variables

Variable	Required	Description
`TENCENT_SECRET_ID`	Yes	Tencent Cloud API Secret ID
`TENCENT_SECRET_KEY`	Yes	Tencent Cloud API Secret Key
`TENCENT_COS_BUCKET`	Yes	COS bucket name (e.g., `my-bucket-1250000000`)
`TENCENT_COS_REGION`	Yes	COS region (e.g., `ap-guangzhou`, `ap-nanjing`)
`TENCENT_COS_PATH`	No	Upload path prefix (default: `uploads/`)

Command Line Options

Option	Description
`--secret-id`	Tencent Cloud API Secret ID
`--secret-key`	Tencent Cloud API Secret Key
`--bucket`	COS bucket name
`--region`	COS region
`--path`	Upload path prefix

Notes

Files are uploaded with auto-generated unique names: upload_{timestamp}_{random}.{ext}
Supports all file types (images, documents, videos, etc.)
Uses 5MB multipart upload threshold for large files
Automatically generates both direct and pre-signed URLs

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…