← Back to Skills Marketplace
Tencent Cloud COS
by
jason-aka-chen
· GitHub ↗
· v1.0.0
· MIT-0
132
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install tencent-cos-chen
Description
Tencent Cloud Object Storage (COS) and Data万象 (CI) integration skill. Use this when you need to upload, download, and manage cloud storage files, or perform...
Usage Guidance
This skill appears to be a legitimate COS integration, but exercise caution before running its setup script. The setup script will persist your Tencent SecretId/SecretKey and other settings into shell startup files (~/.bashrc or ~/.zshrc), into ~/.mcporter/mcporter.json (it may embed secrets into command args), and may configure ~/.cos.conf via coscmd — all in clear text. Recommendations before installing:
- Only provide a dedicated, least-privileged API key (SecretId/SecretKey) scoped to the specific bucket and actions required; avoid using your primary account keys.
- Inspect scripts/setup.sh and references/config_template.json yourself; consider running setup steps manually rather than the script so you control what is written and where.
- Prefer exporting credentials to a session or a dedicated credential file with restricted permissions (chmod 600) rather than adding them to shell rc.
- Be cautious about global npm installs (mcporter) and npx: they run third-party code. Consider installing packages locally in an isolated environment or container.
- After setup, verify ~/.mcporter/mcporter.json and ~/.cos.conf to confirm exactly what was written; remove secrets when no longer needed.
- If unsure about the package author (source is unknown), avoid running automated install and instead use official Tencent tools or create your own minimal scripts that use the official SDK.
What would change this assessment: if the skill metadata declared required env vars and primary credential up front, and if the setup script provided a non-persistent option (e.g., use environment-only or local config with restricted permissions rather than writing to shell rc), the concerns about transparency and persistence would be reduced.
Capability Assessment
Purpose & Capability
The skill's name/description match the code and tools (cos-mcp, cos-nodejs-sdk, coscmd) and those are appropriate for COS operations. However the registry metadata declares no required environment variables or primary credential, while the runtime scripts clearly require Tencent COS credentials (SecretId/SecretKey/Region/Bucket). This metadata mismatch reduces transparency.
Instruction Scope
SKILL.md and scripts instruct the agent to run scripts/setup.sh which: installs node packages, installs/configures mcporter, writes credentials into ~/.mcporter/mcporter.json (embedding secrets into args), writes exports into ~/.bashrc or ~/.zshrc, and optionally configures coscmd (~/.cos.conf). These instructions go beyond transient usage: they persist secrets in multiple user config files and modify shell startup files. While these actions enable future COS operations, they are intrusive and broaden exposure of credentials.
Install Mechanism
The install uses npm packages (cos-mcp, cos-nodejs-sdk-v5, mcporter) and may perform global npm install -g mcporter. This is a typical delivery mechanism for Node-based tools (moderate risk). The scripts also rely on npx (which executes package code on demand). No arbitrary download URLs or unknown remote binaries were found, but global installs and npx usage can execute third-party code and should be considered when evaluating trust.
Credentials
The functionality legitimately requires Tencent COS credentials, so asking for SecretId/SecretKey/Region/Bucket is proportional. However the skill's declared requirements list zero env vars (manifest omission). More importantly, the setup persists these credentials into shell rc, mcporter config, and coscmd config in clear text — increasing the blast radius and violating least privilege principles unless the user provides dedicated limited-privilege keys.
Persistence & Privilege
The setup script makes persistent system changes: adding export lines to ~/.bashrc or ~/.zshrc, creating/updating ~/.mcporter/mcporter.json (embedding secrets in args), and configuring ~/.cos.conf via coscmd. It also attempts global npm installs. The skill is not 'always:true', but it requests persistent presence and writes secrets to files that other processes or users could access. This persistent modification is significant and should be explicitly consented to by the user.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tencent-cos-chen - After installation, invoke the skill by name or use
/tencent-cos-chen - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Updated description to English
Metadata
Frequently Asked Questions
What is Tencent Cloud COS?
Tencent Cloud Object Storage (COS) and Data万象 (CI) integration skill. Use this when you need to upload, download, and manage cloud storage files, or perform... It is an AI Agent Skill for Claude Code / OpenClaw, with 132 downloads so far.
How do I install Tencent Cloud COS?
Run "/install tencent-cos-chen" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tencent Cloud COS free?
Yes, Tencent Cloud COS is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Tencent Cloud COS support?
Tencent Cloud COS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tencent Cloud COS?
It is built and maintained by jason-aka-chen (@jason-aka-chen); the current version is v1.0.0.
More Skills