Tencent Agent Storage

v1.0.10

Cloud file storage, upload, backup, and file management tool for Tencent Agent Storage (专属网盘). Manages the user's personal cloud drive: upload files, list fi...

⭐ 0· 435·0 current·0 all-time

byShawnmZhang@shawnminh

Security Scan

Capability signals

Requires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description, required binaries (node/npm), required env vars (smh_libraryId, smh_accessToken, smh_spaceId, smh_basePath), and the included script all align with a Tencent SMH cloud storage client for upload/list/info operations.

ℹ

Instruction Scope

Runtime instructions and the script stay within cloud storage operations. The script does read configuration files in the user's home directory (~/.tencentAgentStorage/.env, ~/.openclaw/openclaw.json, ~/.hermes/.env) to obtain smh_* credentials; reading these agent config files is plausible for credential discovery but is broader than only reading process env variables and may expose other local config contents to the running script (the script only uses smh_ keys). The script also runs a child_process execSync('npm root -g') only to locate a globally installed SDK if needed.

✓

Install Mechanism

This is an instruction-only skill (no installer). SKILL.md suggests installing Node from official Node.js sources and installing the smh-node-sdk via npm (global or local). No obscure or personal download hosts are used in the instructions.

ℹ

Credentials

Requested env vars (smh_libraryId, smh_accessToken, smh_spaceId, smh_basePath) are appropriate for a cloud storage client. The script will also parse ~/.openclaw/openclaw.json and ~/.hermes/.env for env-like entries; while it only consumes smh_* keys, it does access other config files that may contain unrelated secrets or environment entries.

✓

Persistence & Privilege

Skill is not always-enabled, does not request system-wide changes, and the included code does not modify other skills or global agent configuration. It runs only when invoked.

Assessment

This skill appears coherent for managing Tencent SMH cloud files. Before installing: (1) review and confirm you want to give the tool your smh_accessToken (it requires a space-level/admin token to upload and generate links); (2) be aware the script reads config files in your home directory (~/.tencentAgentStorage/.env, ~/.openclaw/openclaw.json, ~/.hermes/.env) to find credentials—if those files contain other sensitive tokens you may prefer to supply only the needed smh_* environment variables at runtime; (3) verify installation commands (Node/npm) are acceptable for your environment and avoid running curl|sh commands if you have alternative package management; (4) inspect scripts/agent-storage.js yourself if you want to confirm there are no unexpected network endpoints beyond the declared SMH API host.

✗

scripts/agent-storage.js:17

Shell command execution detected (child_process).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

☁️ Clawdis

Binsnode, npm

Envsmh_libraryId, smh_accessToken, smh_spaceId, smh_basePath

latestvk97bhhv3zxmvfdwjyb8vtvw80h850kcn

435downloads

0stars

9versions

Updated 2d ago

v1.0.10

MIT-0

Tencent Agent Storage (云文件上传备份工具)

将本地文件上传至 Tencent Agent Storage，自动生成下载链接和图片预览。上传的文件存储在用户独有的云盘空间中，支持跨端访问——无论是手机、电脑还是平板，用户都可以随时随地查看和下载自己的文件。

When to Use

Agent MUST activate this skill when any of the following conditions are met:

User mentions cloud drive keywords: 网盘、云盘、云空间、龙虾盘、专属网盘、cloud drive, my drive
User requests file listing or browsing: 列出文件、有哪些文件、list files, show files
User requests upload or backup: 上传文件、备份到云、存到网盘、upload, backup, save to cloud
User asks to send/deliver files: 把文件发给我、发到手机、send file, deliver file
User requests links or sharing: 生成下载链接、分享文件、download link, share link
User queries file status: 这个云文件还在吗、链接过期了、is file still there
Implicit: A task produces output files that need to be delivered to the user, or the user's intent implies needing a file on another device

Quick Reference

Command	Usage	Description
`upload`	`node scripts/agent-storage.js upload '<json>'`	Upload local file to cloud, returns download link
`info`	`node scripts/agent-storage.js info '<json>'`	Get file info and regenerate download link
`list`	`node scripts/agent-storage.js list '<json>'`	List files in a cloud directory

Setup

Prerequisites

此 skill 需要 Node.js ≥ 14 和 npm。Agent 在首次执行前必须检测运行环境：

node --version   # 期望输出 v14.x 或更高
npm --version

如果 node 命令不存在或版本低于 14，直接安装：

根据用户系统自动选择安装方式：

# macOS (Homebrew)
brew install node

# macOS (无 Homebrew)
curl -o node.pkg "https://nodejs.org/dist/v20.18.0/node-v20.18.0.pkg" && sudo installer -pkg node.pkg -target / && rm node.pkg

# Linux (Debian/Ubuntu)
curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && sudo apt-get install -y nodejs

# Linux (其他发行版 / 通用)
curl -fsSL https://nodejs.org/dist/v20.18.0/node-v20.18.0-linux-x64.tar.xz | sudo tar -xJ -C /usr/local --strip-components=1

# Windows (PowerShell, 管理员)
winget install OpenJS.NodeJS.LTS

# Windows (无 winget)
# 下载安装包: https://nodejs.org/dist/v20.18.0/node-v20.18.0-x64.msi 并运行

# 跨平台 (已有 nvm)
nvm install --lts

此 skill 还依赖 smh-node-sdk npm 包。必须在使用前完成安装（二选一）：

# 方式一：全局安装（推荐）
npm install -g smh-node-sdk

# 方式二：本地安装到项目目录
npm install smh-node-sdk

脚本会按以下顺序查找 SDK：当前项目 node_modules → 全局 node_modules。如果未找到，脚本会报错并提示安装命令。

About the upload script

此 skill 的运行脚本位于 scripts/agent-storage.js。Agent 直接通过 node scripts/agent-storage.js <command> '<json>' 调用，无需额外写入临时文件。脚本源码可在 scripts/ 目录中审阅。

Credential configuration

凭证从以下配置文件中自动加载（优先级从高到低）。

安全说明：脚本仅读取配置文件中 smh_ 前缀的环境变量（smh_libraryId、smh_accessToken 等），不会访问配置文件中的其他字段或敏感信息。

关于 token 权限：Tencent Agent Storage 的文件上传和下载链接生成 API 要求 space_admin 级别的 accessToken，这是 Tencent Agent Storage 服务端对文件写入操作的最低权限要求。

模式一：直接凭证（accessToken）

凭证文件查找顺序（先找到者优先）：

通用配置 — ~/.tencentAgentStorage/.env
OpenClaw — ~/.openclaw/openclaw.json 的 env 字段
Hermes — ~/.hermes/.env

通用配置（推荐） — 在 ~/.tencentAgentStorage/.env 中配置：

# ~/.tencentAgentStorage/.env
smh_basePath=https://api.tencentsmh.cn
smh_libraryId=smhxxx-xxxxx
smh_spaceId=space-xxxxx
smh_accessToken=<your-access-token>

OpenClaw — 在 ~/.openclaw/openclaw.json 的 env 字段中配置：

{
  "env": {
    "smh_basePath": "https://api.tencentsmh.cn",
    "smh_libraryId": "smhxxx-xxxxx",
    "smh_spaceId": "space-xxxxx",
    "smh_accessToken": "<your-access-token>"
  }
}

Hermes — 在 ~/.hermes/.env 中配置：

smh_basePath=https://api.tencentsmh.cn
smh_libraryId=smhxxx-xxxxx
smh_spaceId=space-xxxxx
smh_accessToken=<your-access-token>

Procedure

Agent uses this skill in any scenario that requires uploading files to the cloud.

Complete flow

User triggers file upload
  → Step 1: Identify the local file path(s)
  → Step 2: Run upload script (loop for batch)
  → Step 3: Extract downloadUrl from JSON output (signed COS URL)
  → Step 4: Deliver the download link with execution notice

IMPORTANT: 默认必须使用 conflictStrategy: "ask" 上传。这样当云端已存在同名文件时，脚本会返回错误，Agent 可以询问用户如何处理。只有用户明确说了 "覆盖"/"替换" 或 "重命名" 时，才使用对应的 conflictStrategy: "overwrite" 或 conflictStrategy: "rename"。

Step 2: Upload

Single file (默认):

node scripts/agent-storage.js upload '{"localPath":"/path/to/file.pdf","conflictStrategy":"ask"}'

Upload to specific directory:

node scripts/agent-storage.js upload '{"localPath":"/path/to/photo.jpg","remotePath":"photos/photo.jpg","conflictStrategy":"ask"}'

User explicitly requested overwrite:

node scripts/agent-storage.js upload '{"localPath":"/path/to/report.pdf","conflictStrategy":"overwrite"}'

Batch upload:

node scripts/agent-storage.js upload '{"localPath":"/path/to/file1.pdf","conflictStrategy":"ask"}'
node scripts/agent-storage.js upload '{"localPath":"/path/to/file2.docx","conflictStrategy":"ask"}'

Conflict handling

When using conflictStrategy: "ask" (默认), if a same-name file already exists, the script returns {"success":false,"conflict":true}. Agent must then ask the user:

云端已存在同名文件 {filename}，你想怎么处理？

🔄 覆盖 — 替换云端文件

📝 重命名 — 自动改名上传（如 file(1).pdf）

❌ 取消 — 不上传

三种策略对照：

Strategy	Behavior	When to use
`ask` (默认，必须使用)	同名文件存在时返回错误，Agent 询问用户	用户未表明偏好时
`overwrite`	直接覆盖已有文件	用户明确说 "覆盖", "替换", "更新文件"
`rename`	自动重命名 → `file(1).pdf`	用户明确说 "重命名", "改名上传"

Step 4: Deliver link + execution notice

After every successful upload, include this notice alongside the download link(s):

链接已生成，链接有效期 2 小时，可直接在浏览器或手机中打开。

链接输出规则（MUST）：

必须使用带 COS 签名的直链（downloadUrl 字段），域名为 *.tencentsmhuc.cn，参数含 q-sign-algorithm 和 q-signature
禁止输出含 accessToken 的中转链接（如 https://api.tencentsmh.cn/...?access_token=...），这会泄露凭证
链接必须完整输出，禁止任何形式的截断、省略或缩写——不能用 ...、<省略> 等替代任何部分。签名链接通常很长，这是正常的

Single file example:

链接已生成，链接有效期 2 小时，可直接在浏览器或手机中打开。

已上传文件: report.pdf 大小: (2.3 MB) 下载链接: {脚本返回的完整 downloadUrl，原样输出，不得截断}

Batch example:

链接已生成，链接有效期 2 小时，可直接在浏览器或手机中打开。

📎 report.pdf (2.3 MB) — {完整 downloadUrl} 📎 photo.jpg (1.1 MB) — {完整 downloadUrl}

File Size Support

There is NO file size limit. The upload script supports files of any size, including multi-GB videos.

Small files (≤ 50 MB): Single-part upload.
Large files (> 50 MB): Multipart upload — the file is read in 5 MB chunks, never loaded entirely into memory.

Commands

所有命令输出 JSON 到 stdout。

upload

node scripts/agent-storage.js upload '<json>'

JSON 参数：

localPath（必填）：本地文件绝对路径，支持 ~ 展开
remotePath（可选）：云端目标路径，省略则上传到根目录并保留原文件名
conflictStrategy（可选）：ask（默认）| rename | overwrite

Output:

{
  "success": true,
  "upload": {
    "localFile": "/path/to/photo.jpg",
    "remotePath": "photo.jpg",
    "fileSize": 2048576,
    "fileSizeHuman": "2.0 MB",
    "uploadTime": "3.2s",
    "rapidUpload": false
  },
  "downloadUrl": "https://bucket-xxxxx.tencentsmhuc.cn/smhxxx/...photo.jpg?response-content-disposition=inline&smh-space=space-xxx&x-cos-security-token=...&q-sign-algorithm=sha1&q-signature=..."
}

info

node scripts/agent-storage.js info '<json>'

JSON 参数：

remotePath（必填）：云端文件路径
basePath / libraryId / spaceId / accessToken（可选）：直接传参模式凭证

Output:

{
  "success": true,
  "remotePath": "report.pdf",
  "downloadUrl": "https://bucket-xxxxx.tencentsmhuc.cn/smhxxx/...report.pdf?response-content-disposition=inline&smh-space=space-xxx&x-cos-security-token=...&q-sign-algorithm=sha1&q-signature=...",
  "fileInfo": {
    "name": "report.pdf",
    "size": 2048576,
    "type": "application/pdf",
    "creationTime": "2026-03-13T10:00:00Z",
    "modificationTime": "2026-03-13T10:00:00Z"
  }
}

list

node scripts/agent-storage.js list '<json>'

JSON 参数：

dirPath（可选）：目录路径，默认 /
limit（可选）：最大返回数量，默认 50

Full Example

# Step 0: 安装 smh-node-sdk（首次使用前执行一次）
npm install -g smh-node-sdk

# Step 1: 上传文件
node scripts/agent-storage.js upload '{"localPath":"/path/to/report.pdf","conflictStrategy":"ask"}'

# Step 2: 查询文件信息
node scripts/agent-storage.js info '{"remotePath":"report.pdf"}'

# Step 3: 列出云端文件
node scripts/agent-storage.js list '{"dirPath":"/","limit":20}'

Pitfalls

Error handling

所有命令输出 JSON 到 stdout。错误也以 JSON 返回：{"success": false, "error": "..."}

错误	处理方式
上传失败（`success: false`）	告诉用户："文件上传失败：{具体原因}。你可以稍后再试，或者检查网络连接。"
同名冲突（`conflict: true`）	询问用户选择覆盖、重命名或取消
文件不存在	让用户确认路径
网络错误	重试 2 次，间隔 3s；仍失败告知用户
配置缺失	提示用户在 `~/.tencentAgentStorage/.env`、`~/.openclaw/openclaw.json` 的 `env` 字段或 `~/.hermes/.env` 中添加 `smh_*` 配置

上传失败对话模板（当 success: false 时必须使用）：

❌ 文件上传失败：{error 中的具体原因}。

你可以：

🔄 重试 — 重新上传这个文件

❌ 取消 — 暂时不上传

Prohibited actions

NEVER 在 success: false 时展示下载链接
NEVER 在上传失败时不告知用户，必须明确提示"文件上传失败"及原因
NEVER 硬编码或暴露 SMH 凭证给用户
NEVER 未经用户主动要求就上传其本地个人文件
NEVER 跳过执行通知："链接已生成，有效期 2 小时，可直接在浏览器或手机中打开"
NEVER 在用户未明确表态时使用 conflictStrategy: "rename" 或 conflictStrategy: "overwrite"
NEVER 把含 accessToken 的中转链接（如 https://api.tencentsmh.cn/...?access_token=...）发给用户。返回给用户的必须是带 COS 签名的直链（域名为 *.tencentsmhuc.cn，参数含 q-sign-algorithm 和 q-signature），即脚本输出的 downloadUrl 字段
NEVER 截断、省略或用 ... 缩写链接。发给用户的下载链接/预览链接必须是脚本返回的完整 URL，一个字符都不能少。链接通常很长（含签名参数），这是正常的，必须原样完整输出

Common mistakes

用户说"上传文件"但没指定路径 → 追问："你要上传哪个文件？告诉我文件路径或文件名就行。"
用户说"确定上传 xxx"或"把 xxx 发给我" → 直接执行上传（conflictStrategy: "ask"）
同名文件冲突：上传时必须使用 conflictStrategy: "ask"。如果返回 conflict: true，必须询问用户选择覆盖、重命名或取消
文件默认上传到云空间根目录，用户可通过 remotePath 参数指定目标路径
下载链接为通过 SDK infoFile({ purpose: 'download' }) 获取的带签名 COS 直链（https://bucket-xxxxx.tencentsmhuc.cn/...?q-sign-algorithm=sha1&q-signature=...），可直接在浏览器或手机中打开预览/下载，有效期约 2 小时。必须原样完整输出此链接，禁止截断或省略任何部分
批量上传按顺序处理（不并行），避免 API 过载
执行通知：每次上传完成后必须告知用户："链接已生成，有效期 2 小时，可直接在浏览器或手机中打开"

Verification

Upload was successful when ALL of the following are true:

Script output contains "success": true
downloadUrl field is present and non-empty
Agent delivered the download link to the user with the execution notice: "链接已生成，有效期 2 小时，可直接在浏览器或手机中打开"

To verify a previously uploaded file still exists:

node scripts/agent-storage.js info '{"remotePath":"<filename>"}'

If the response contains "success": true, the file is accessible and a fresh download link is returned.

Comments

Loading comments...