100Critical
The skill is vulnerable to prompt and command injection, allowing
Behavior Analysis
Description verified — behavior matches claim
Claims to do
腾讯云 COS 技能: 一站式管理腾讯云对象存储(COS)和数据万象(CI),通过统一的 Node.js SDK 脚本提供以下能力:
Actually does
This skill executes a Node.js script (`scripts/cos_node.mjs`) that utilizes the `cos-nodejs-sdk-v5` to interact with Tencent Cloud COS (Object Storage) and CI (Data Intelligence) services. It performs a wide range of operations including file uploads/downloads, bucket management, image/document/media processing, content moderation, speech recognition/synthesis, file processing, MetaInsight (multi-modal retrieval), and knowledge base management. It handles Tencent Cloud API credentials (SecretId, SecretKey, Token) via environment variables, local `.env` files, or encrypted `.env.enc` files, and contacts Tencent Cloud API endpoints.
Skill Info
Nameshawnminh/tencent-cos-skill
Registryclawhub
Version1.1.6
PURLpkg:clawhub/shawnminh/tencent-cos-skill@1.1.6
Stars4
Downloads3,645
Installs104
Source
SHA-256861921bc464b...
SHA-161c934020670...
MD5af2dc7c18d08...
TLSH27c208e99cc2...
ssdeep768:6muSHQ73...
Size27,762 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install shawnminh/tencent-cos-skillAssessments (4)
AI Agent Traps ↗Prompt Injection Detectedcriticalprompt injection
DeBERTa classifier detected prompt injection (confidence: 0.98)
98% confidence
Command Execution and Potential Injectionhighcommand execution
The skill explicitly executes shell scripts (`setup.sh`) and Node.js scripts (`cos_node.mjs`) using `{baseDir}/scripts/...`. Many actions take user-controlled arguments (e.g., `--file`, `--key`, `--bucket`, `--content`, `--query`). If these arguments are not properly sanitized before being passed to the underlying scripts, they could be vulnerable to command injection, allowing an attacker to execute arbitrary shell commands.
90% confidenceline 128
{baseDir}/scripts/setup.sh
node {baseDir}/scripts/cos_node.mjs <action> [--option value ...]
--file /path/to/file.jpg
--bucket <BucketName>Broad Cloud API Access and Universal CI Requestmediumresource abuse
The skill provides extensive access to Tencent Cloud COS and CI APIs, including creating storage buckets (`create-bucket`, `create-knowledge-base`), managing bucket policies (ACL, CORS), and uploading/downloading files. The `ci-request` action allows calling *any* CI API, providing a broad and potentially unconstrained interface to cloud services. This broad access could be abused for resource abuse (e.g., creating numerous buckets, incurring costs) or data exfiltration to attacker-controlled buckets.
80% confidenceline 208
create-bucket create-knowledge-base put-bucket-acl ci-request --method POST --path "image/auditing" --body '<xml>...'
Credential Persistence to Diskmediumcredential theft
The skill offers to persist critical cloud credentials (`SecretId`, `SecretKey`) to disk in a `.env` file (plain text) or an encrypted `.env.enc` file. While security measures like file permissions (600), `.gitignore` integration, and AES-256-GCM encryption are mentioned, storing credentials on disk inherently increases the risk of credential theft if the host environment is compromised or if the files are accidentally exposed.
90% confidenceline 169
setup.sh --from-env --persist node scripts/cos_node.mjs encrypt-env 凭证写入项目本地 .env 文件
External Package Installation (Supply Chain Risk)lowsupply chain
The skill installs the `cos-nodejs-sdk-v5` package via `npm` into the local `node_modules/` directory. Relying on external packages introduces a supply chain risk, where a compromise of the package or its dependencies could lead to the execution of malicious code during installation or runtime.
80% confidenceline 121
"package": "cos-nodejs-sdk-v5", "kind": "node", "install": [...]
Automated Resource Provisioning without Explicit Confirmationlowautonomy abuse
The '知识库' (Knowledge Base) feature allows the agent to '一键创建知识库' (one-click create knowledge base), which automatically provisions a COS bucket and a MetaInsight dataset. While designed for user convenience, this automated resource creation without explicit user confirmation for each resource could be exploited for resource abuse (e.g., creating numerous cloud resources, incurring unexpected costs) if the agent's decision-making is manipulated.
70% confidenceline 444
一键创建知识库(自动创建桶+数据集+绑定) create-knowledge-base --name <用户指定的名称>
Oversight Evasion Framing for Credential Handlinglowoversight evasion
The skill uses reassuring language like '请放心,你的密钥会受到以下保护' (Please rest assured, your keys will be protected as follows) and '🛡️ 凭证安全保障' (Credential Security Assurance) when asking for critical cloud credentials. While it does list security measures, this framing could be seen as an attempt to reduce user vigilance and encourage the provision of sensitive information, potentially exploiting human approval fatigue or trust.
70% confidenceline 140
请放心,你的密钥会受到以下保护 🛡️ 凭证安全保障
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/shawnminh/tencent-cos-skill)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/shawnminh/tencent-cos-skill"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/shawnminh/tencent-cos-skill.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/shawnminh/tencent-cos-skill.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow