ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloud Storage Manager

v1.0.0

Manage multiple cloud storage providers with features for file upload/download, bucket management, sync, multipart uploads, and CDN integration.

0· 0·1 current·1 all-time
byLv Lancer@kaiyuelv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and SKILL.md describe a StorageManager/SyncManager offering full multi-cloud capabilities, which would legitimately require the listed cloud SDKs and credentials; however the source bundle is missing key implementation modules (storage.py and sync.py are imported in __init__.py but not present), making the package incomplete. Additionally registry metadata lists no homepage or source while SKILL.md points to a GitHub repo URL — a metadata mismatch.
Instruction Scope
SKILL.md contains reasonable usage examples and test instructions. It asks the agent to load credentials from environment variables (appropriate for cloud access). One minor oddity: the test invocation references an absolute agent workspace path (/root/.openclaw/workspace/skills/...), which assumes a specific runtime layout; otherwise instructions do not request unrelated system files or network endpoints beyond expected cloud SDKs.
Install Mechanism
There is no install specification (instruction-only install), so nothing is automatically downloaded or executed by the installer. The bundle includes a requirements.txt listing many cloud SDKs (expected for the stated purpose). Because no install step is provided, a user would need to pip-install dependencies themselves; this is not itself dangerous but increases manual-install friction.
!
Credentials
SKILL.md documents many provider-specific environment variables (AWS, Aliyun, Tencent, Azure) which are appropriate for the described functionality. However the registry metadata at the top of the package lists 'Required env vars: none' and 'Primary credential: none' — that's inconsistent. The skill legitimately needs secrets for cloud access, so do not supply credentials to the skill until implementation/source is validated.
Persistence & Privilege
The skill does not request persistent or always-on privileges (always:false) and model-invocation is not disabled (the default). It does not claim to modify other skills or global agent settings. This is normal and not concerning by itself.
What to consider before installing
Do not provide cloud credentials or enable this skill yet. Key problems: the package is missing core implementation files (it imports storage.py and sync.py but they are not in the bundle), and registry metadata contradicts SKILL.md (no required env listed vs. SKILL.md listing many secret env vars and a GitHub homepage). Ask the publisher for the canonical source (GitHub repo), verify that the published bundle actually contains the implementation, and inspect the real storage.py/sync.py before installing. If you must test, do so in an isolated sandbox or throwaway environment, and use temporary, least-privilege credentials (or mocks) rather than production keys. Verify dependencies in requirements.txt and prefer to install them in a virtualenv. If the publisher cannot resolve the missing files or metadata inconsistencies, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvaac2c670z98anwy5dxwdn84ny3s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments