100Critical
The skill is vulnerable to arbitrary
Behavior Analysis
Description verified — behavior matches claim
Claims to do
腾讯云 COS 技能: 一站式管理腾讯云对象存储(COS)和数据万象(CI),通过统一的 Node.js SDK 脚本提供以下能力:
Actually does
This skill executes a Node.js script (`scripts/cos_node.mjs`) to interact with Tencent Cloud COS and CI services. It uses the `cos-nodejs-sdk-v5` library to perform a wide range of operations including file storage (upload, download, list), bucket management, image/document/media processing, content moderation, speech services, file processing, and MetaInsight (multi-modal retrieval) and knowledge base functionalities. It manages Tencent Cloud API credentials (SecretId, SecretKey, Token) via environment variables or local `.env` files, with an option for AES-256 encryption, and uses a `setup.sh` script for initial environment configuration.
Skill Info
Nameshawnminh/tencentcloud-cos-skills
Registryclawhub
Version1.1.3
PURLpkg:clawhub/shawnminh/tencentcloud-cos-skills@1.1.3
Downloads1,497
Source
SHA-256861921bc464b...
SHA-161c934020670...
MD5af2dc7c18d08...
TLSH27c208e99cc2...
ssdeep768:6muSHQ73...
Size27,762 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install shawnminh/tencentcloud-cos-skillsAssessments (2)
AI Agent Traps ↗Prompt Injection Detectedcriticalprompt injection
DeBERTa classifier detected prompt injection (confidence: 0.98)
98% confidence
Command Injection via User Input in Script Argumentscriticalcommand execution
The skill constructs shell commands using user-provided values for arguments (e.g., `--key`, `--file`, `--bucket`, `--name`, `--text`, `--body`). Without robust sanitization and quoting of these values when constructing the final shell command string, an attacker could inject arbitrary shell commands, leading to arbitrary code execution on the host system.
90% confidenceline 575
node {baseDir}/scripts/cos_node.mjs <action> [--option value ...], upload --file /path/to/file.jpg --key remote/path/file.jpg, create-knowledge-base --name <用户指定的名称>, ci-request --method POST --path "image/auditing" --body '<xml>...</xml>'Potential Data Exfiltration via Arbitrary Download Pathshighdata exfiltration
The `download` action allows users to specify an arbitrary `--output` path for downloaded files. If the agent's execution environment has access to sensitive directories, an attacker could download confidential cloud data to a location accessible by other processes or users.
80% confidenceline 233
download --key remote/path/file.jpg --output /path/to/save/file.jpg
Broad API Access via Generic `ci-request` Actionmediumtool poisoning
The `ci-request` action provides a generic 'extension point' to call any CI API by specifying method, path, and body. This broad access could bypass specific security controls implemented for other actions and potentially be used for unauthorized operations or data manipulation if the underlying API is not strictly permissioned.
80% confidenceline 575
ci-request --method POST --path "image/auditing" --body '<xml>...</xml>', 用于调用尚未封装为独立 action 的 CI 能力
Credential Persistence and Decryption Capabilitiesmediumpersistence
The skill provides explicit actions (`encrypt-env`, `decrypt-env`) to manage the persistence of cloud credentials to disk. While encryption is used, the `decrypt-env` action could expose credentials in plaintext if the host system is compromised after decryption, despite documented safeguards.
70% confidenceline 681
setup.sh --from-env --persist, node scripts/cos_node.mjs encrypt-env, node scripts/cos_node.mjs decrypt-env, 解密 .env.enc → .env 还原明文
Resource Abuse via Cloud Resource Creationmediumresource abuse
The skill allows users to create cloud resources such as storage buckets, datasets, and knowledge bases. Without proper rate limiting or approval mechanisms, a malicious user could repeatedly create resources, leading to unexpected billing charges or resource exhaustion in the cloud account.
70% confidenceline 515
create-bucket --bucket mybucket-1250000000, create-dataset --name my-dataset, create-knowledge-base --name <用户指定的名称>
Broad File System Access for Uploadslowdata exfiltration
The `upload` action allows users to specify any local file path for upload to the cloud. While necessary for the skill's function, this capability could be abused to upload sensitive local files to a public or attacker-controlled cloud storage if the agent's environment has access to such files.
60% confidenceline 227
upload --file /path/to/file.jpg --key remote/path/file.jpg
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/shawnminh/tencentcloud-cos-skills)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/shawnminh/tencentcloud-cos-skills"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/shawnminh/tencentcloud-cos-skills.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/shawnminh/tencentcloud-cos-skills.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow