ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TencentCloud COS Storage

Manage Tencent Cloud COS buckets and files, supporting bucket creation, file upload/download, lifecycle policies, access control, and cost optimization.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
bysuperStupidBear@ugpoor
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and included Python code all align with a Tencent Cloud COS management tool (bucket and object operations, lifecycle, cost estimates). However the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while the code reads TENCENT_SECRET_ID and TENCENT_SECRET_KEY — this mismatch is unexpected.
Instruction Scope
The SKILL.md and code confine actions to COS operations and local config handling: installing the COS SDK, placing credentials in a .env, creating/deleting buckets, uploading/downloading objects, lifecycle rules, and cost estimation. The docs reference running tccli/verification commands and pinging COS endpoints for troubleshooting; those are consistent with cloud storage tooling and the code. There are no instructions to read unrelated system files or to transmit data to unknown third‑party endpoints.
Install Mechanism
There is no formal install spec in the registry (instruction-only install). SKILL.md tells users to pip install cos-python-sdk-v5 and python-dotenv (via --break-system-packages). Installing runtime packages from PyPI is normal, but the explicit --break-system-packages flag can alter system package boundaries and should be used with caution.
!
Credentials
The code requires Tencent API credentials (TENCENT_SECRET_ID / TENCENT_SECRET_KEY) and region/config env vars, which are appropriate for the stated purpose — but the registry metadata fails to declare them as required. SKILL.md suggests granting broad COS permissions (action pattern shown as 'name/cos:*' which appears incorrect/overbroad). Requesting full COS privileges is proportionate to admin operations but users should prefer narrowly scoped sub-user keys with least privilege. The metadata omission (no declared required env) is the primary concern.
Persistence & Privilege
The skill is not forced-always and does not request any agent-wide persistent privileges. It does not modify other skills' configs in the provided files. Autonomous invocation is allowed by default; that is normal but increases blast radius if credentials are compromised, so credentials should be scoped appropriately.
What to consider before installing
This skill appears to implement Tencent COS management code that expects TENCENT_SECRET_ID and TENCENT_SECRET_KEY in a .env, but the registry metadata did not declare those required environment variables — treat that as a red flag. Before installing: 1) Verify the skill source and author (homepage/source unknown). 2) Prefer creating a Tencent sub-user with least-privilege COS actions (limit to specific buckets and operations rather than broad cos:*). 3) Inspect the code (already included) yourself or run it in an isolated environment. 4) Avoid running pip with --break-system-packages on production machines; consider using a virtualenv. 5) Store .env secrets securely and rotate keys if you decide to remove the skill. If you need higher assurance, ask the publisher to update registry metadata to declare required env vars and to correct any incorrect action strings (e.g., 'name/cos:*') so permission requests are explicit and minimal.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk97ek1jtfv0esw9y7p8sj7t26n83v50e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

TencentCloud-COS - 腾讯云对象存储管理技能

📋 技能说明

腾讯云 COS 对象存储管理工具,用于创建和管理存储桶、上传下载文件。

入口组件

如需统一管理所有腾讯云服务(CVM + Lighthouse + COS),请使用 tencentcloud-manager 作为入口组件。

相关技能

技能说明
tencentcloud-manager腾讯云统一入口组件
tencentcloud-opsCVM + COS 运维工具包
tencentcloud-cvmCVM 云服务器管理
tencentcloud-lighthouseLighthouse 轻量服务器管理

核心功能

COS 存储桶管理

  • 创建/删除存储桶
  • 存储类型管理 (标准/低频/归档)
  • 生命周期配置
  • 跨地域复制

文件管理

  • 上传/下载文件
  • 批量上传
  • 分片上传
  • 文件列表查询

成本控制

  • 存储类型优化
  • 生命周期自动转换
  • 流量监控

安全管理

  • 访问权限控制
  • 防盗链
  • 加密存储

💰 存储类型价格参考

⚠️ 注意: 以下价格为参考区间(更新于 2026-03-29),实际价格以腾讯云官网为准。

存储类型概览

存储类型价格区间适用场景节省
标准存储~¥0.12-0.15/GB/月频繁访问数据-
低频存储~¥0.07-0.09/GB/月不常访问数据~35-40%
归档存储~¥0.02-0.04/GB/月长期保存数据~70-80%

获取最新价格

from tencentcloud_cos import COSCostManager

cost_mgr = COSCostManager()

# 估算成本
cost = cost_mgr.estimate_cost(
    storage_gb=100,
    storage_class='STANDARD',
    months=12
)

print(f"总成本:¥{cost['total']}")

📊 推荐配置清单

场景 1: 数据采集存储

存储策略:
  - 最近 7 天:标准存储 (频繁查询)
  - 7-30 天:低频存储 (偶尔查询)
  - 30 天+:归档存储 (长期保存)

数据量:450 GB/月
预估成本:~¥40-60/月

优势:
  ✅ 成本优化
  ✅ 热数据快速访问
  ✅ 冷数据便宜存储

场景 2: 网站静态资源

存储类型:标准存储
数据量:100 GB
预估成本:~¥15-20/月 (存储) + 流量费

优势:
  ✅ 快速访问
  ✅ CDN 加速
  ✅ 高可用

场景 3: 备份归档

存储策略:
  - 最近 30 天:低频存储
  - 30 天+:归档存储

数据量:1 TB
预估成本:~¥30-40/月 (30 天后)

优势:
  ✅ 成本极低
  ✅ 长期保存
  ✅ 合规备份

⚠️ 前置配置 (必须完成)

步骤 1: 安装 COS SDK

pip3 install --break-system-packages cos-python-sdk-v5

步骤 2-7: 配置子用户权限

参考 tencentcloud-cvm 技能的配置步骤。

权限策略:

{
  "version": "2.0",
  "statement": [
    {
      "effect": "allow",
      "action": [
        "name/cos:*"
      ],
      "resource": "*"
    }
  ]
}

🔒 权限说明

授予的权限

权限范围说明
name/cos:*对象存储存储桶/对象管理

未授予的权限 (安全)

权限原因
finance:*❌ 财务权限
cam:*❌ 用户管理

📦 安装

# 安装依赖
pip3 install --break-system-packages \
  cos-python-sdk-v5 \
  python-dotenv

🔧 配置

环境变量文件 (.env)

# 腾讯云 API 凭证 (子用户)
TENCENT_SECRET_ID=AKIDxxxxxxxxxxxxxxxxxxxxxxxxxx
TENCENT_SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxx

# 区域配置
TENCENT_REGION=ap-singapore

# 资源命名
RESOURCE_PREFIX=cos

# 存储配置
DEFAULT_STORAGE_CLASS=STANDARD

🚀 使用示例

创建存储桶

from tencentcloud_cos import COSManager

cos = COSManager()

bucket = cos.create_bucket(
    bucket_name="my-data-bucket",
    region="ap-singapore",
    storage_class="STANDARD"
)

print(f"✅ 创建成功:{bucket['bucket_name']}")

上传文件

cos.upload_file(
    bucket="my-data-bucket",
    local_path="/tmp/data.parquet",
    key="data/2024/03/28/data.parquet"
)

批量上传

files = ["/tmp/data1.parquet", "/tmp/data2.parquet"]

cos.batch_upload(
    bucket="my-data-bucket",
    files=files,
    prefix="data/2024/03/28/"
)

下载文件

cos.download_file(
    bucket="my-data-bucket",
    key="data/2024/03/28/data.parquet",
    local_path="/tmp/download.parquet"
)

设置生命周期

cos.put_lifecycle(
    bucket="my-data-bucket",
    rules=[
        {
            "id": "rule1",
            "prefix": "data/",
            "transitions": [
                {"days": 7, "storage_class": "STANDARD_IA"},
                {"days": 30, "storage_class": "ARCHIVE"}
            ]
        }
    ]
)

📊 成本估算参考

以下成本仅供参考,实际费用以账单为准。

数据存储 (100 GB/月)

存储类型月成本年成本
标准存储~¥12-15~¥144-180
低频存储~¥7-9~¥84-108
归档存储~¥2-4~¥24-48

生命周期优化示例

策略月成本节省
全标准存储~¥55-65-
生命周期优化~¥35-45~30-40%

⚠️ 注意事项

安全

  • ✅ 使用子用户密钥,不用主账号
  • ✅ 设置最小权限
  • ✅ .env 文件妥善保管
  • ✅ 定期轮换密钥 (90 天)
  • ❌ 不要提交密钥到 Git

成本

  • ✅ 设置预算告警
  • ✅ 使用生命周期优化
  • ✅ 及时清理无用文件
  • ❌ 不要忘记设置生命周期

区域选择

  • ✅ 新加坡 (ap-singapore): 网络稳定
  • ✅ 香港 (ap-hongkong): 延迟低
  • ✅ 上海 (ap-shanghai): 国内访问快

📚 相关文档

🆘 故障排除

问题 1: 凭证验证失败

cat config/.env
python3 src/verify_config.py

问题 2: 权限不足

tccli cam ListAttachedUserPolicies --AttachUin <UIN>

问题 3: 上传失败

# 检查存储桶名称格式
# 正确格式:bucket-name.cos.region.myqcloud.com

# 检查网络连接
ping cos.ap-singapore.myqcloud.com

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…