← 返回 Skills 市场
Tencent Agent Storage
作者
ShawnmZhang
· GitHub ↗
· v1.0.13
· MIT-0
750
总下载
0
收藏
0
当前安装
12
版本数
在 OpenClaw 中安装
/install tencent-agent-storage
功能描述
Cloud file storage, upload, backup, and file management tool for Tencent Agent Storage (专属网盘). Manages the user's personal cloud drive: upload files, list fi...
安全使用建议
This skill appears to implement a legitimate Tencent cloud upload tool, but there are several things to consider before installing:
- Metadata mismatch: the registry lists no required env/config, but the skill reads credential files in your home directory (~/.tencentAgentStorage/.env, ~/.openclaw/openclaw.json, ~/.hermes/.env). Expect the skill to look for and use smh_* values in those files.
- Cross-config access: it will read ~/.openclaw/openclaw.json (another agent/tool's config). If that file contains other secrets, review its contents and remove or isolate unrelated secrets. Prefer providing a dedicated smh_* token in a separate file for this skill.
- Token scope: the SKILL.md says an accessToken with space_admin permission is required. Try to create and use the least-privileged token possible (scoped to a single space) rather than a broad admin token.
- Installation steps are standard (official Node.js and npm packages), but installing global npm packages grants broad rights — review the smh-node-sdk package source and trustworthiness before installing globally.
- Broad triggers: the skill defines many implicit triggers. If you are concerned about accidental activation, restrict invocation or only enable the skill when explicitly requested.
If you want higher assurance, review the included scripts/agent-storage.js source (provided) and test the skill in an isolated account/space with a scoped token before using it with sensitive data.
功能分析
Type: OpenClaw Skill
Name: tencent-agent-storage
Version: 1.0.13
The skill provides legitimate cloud storage functionality but employs several high-risk patterns. The SKILL.md instructions direct the AI agent to execute 'curl|bash' and 'sudo' commands for environment setup, which constitutes a potential RCE risk. Furthermore, scripts/agent-storage.js contains a fallback mechanism that appends the 'smh_accessToken' as a plaintext query parameter to the download URL if the standard signed URL generation fails; although SKILL.md explicitly instructs the agent to hide such links, the script still outputs the sensitive credential to stdout. The script also proactively searches for and reads credentials from multiple sensitive configuration files, including ~/.openclaw/openclaw.json and ~/.hermes/.env.
能力评估
Purpose & Capability
Name/description match the code: the script uploads, lists, and returns download links via an SMH SDK. Requiring Node.js and the smh-node-sdk is proportionate. However the registry metadata lists no required config paths or env vars while both SKILL.md and the script read credential files (~/.tencentAgentStorage/.env, ~/.openclaw/openclaw.json, ~/.hermes/.env) to obtain smh_* values — a mismatch between declared and actual requirements.
Instruction Scope
SKILL.md instructs the agent to install Node and the smh-node-sdk if missing (provides curl/npm/winget commands) and to run node scripts/agent-storage.js. The script will read config files from the user's home directory to resolve credentials. The skill also defines very broad trigger rules (many implicit triggers), which could cause frequent automatic activation and thus repeated access to the user's config files.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md suggests installing Node from official domains (nodejs.org, nodesource) and installing smh-node-sdk via npm — standard, expected sources. Nothing in the install instructions downloads code from obscure/personal URLs.
Credentials
The skill needs smh_libraryId, smh_spaceId, and smh_accessToken to function, which is appropriate for a cloud-storage uploader. But the registry metadata declared no required env/config paths while the implementation reads multiple user config files (including ~/.openclaw/openclaw.json). Reading another tool's config may expose unrelated environment variables or secrets; although the script maps only smh_* keys, it still accesses those files and will use any smh_* values found there. The skill also recommends using a space_admin-level accessToken — a high privilege token; users should ensure token scope is minimized.
Persistence & Privilege
always:false and no modifications to other skills — good. However the script explicitly reads another agent/tool's config file (~/.openclaw/openclaw.json), which counts as accessing other skills' configuration. This cross-tool config access is a notable privilege and was not declared in the registry metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tencent-agent-storage - 安装完成后,直接呼叫该 Skill 的名称或使用
/tencent-agent-storage触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.13
tencent-agent-storage v1.0.13
- No file or documentation changes detected since the previous release.
- Retains all previous features and behaviors related to Tencent Agent Storage file upload and management.
- No new functionality, bug fixes, or metadata updates in this version.
v1.0.12
- Version bump from 1.0.7 to 1.0.12 with no code or documentation changes.
- No file changes detected; functionality and usage remain the same.
v1.0.11
Tencent Agent Storage v1.0.11
- No file changes detected for this version.
- No updates or functional changes—behavior remains identical to previous release.
v1.0.10
tencent-agent-storage 1.0.10
- No user-facing changes in this release.
- Internal: Version number updated; no code changes detected.
- All features and configurations remain unchanged.
v1.0.9
No file changes detected in this release.
- Version number updated from 1.0.7 to 1.0.9.
- No other changes to code or documentation.
v1.0.8
- Added a full node_modules directory for the project, including dependencies such as asynckit and axios.
- Initial commit of 910 files supporting Node.js environment and package management for the skill.
- No user-facing feature changes or functional updates; this release is focused on bundling all necessary dependencies for local and portable usage.
v1.0.7
**Tencent Agent Storage 1.0.7 – New Script Integration & Hermes Compatibility**
- Added the main script: `scripts/agent-storage.js` as the core upload/management tool (migrated from `/tmp/smh-upload.js`).
- Updated documentation to support both OpenClaw and Hermes platforms, including their respective credential configuration sections.
- Documented the new script location and changed the usage pattern to `node scripts/agent-storage.js ...` (no longer writes or uses temporary files).
- Enhanced environment setup and compatibility guidance for Node.js & environment variable configuration.
- Expanded metadata: Added Hermes agent tags and documented required variables for broader platform support.
- No changes to logic or feature set; this version focuses on improved structure, integration, and multi-platform documentation.
v1.0.6
Initial release of Tencent Agent Storage integration.
- Provides cloud file upload, backup, and management for users' personal Tencent Agent Storage.
- Auto-generates download links and supports file delivery across devices (PC, mobile, tablet).
- Triggers when users mention cloud drive access, file upload, download, sharing, backups, or related intents.
- Handles file conflicts with user-guided overwrite/rename/cancel options.
- No file size restriction: supports multi-GB files with multipart upload.
- Requires `smh-node-sdk` npm package and credential setup via environment variables or direct parameters.
v1.0.4
No changes detected in this version.
- Version 1.0.4 does not include any file modifications or updates.
- Skill functionality, setup, and documentation remain unchanged.
v1.0.2
tencent-agent-storage v1.0.2
- No code or documentation changes detected in this version.
- All functionality, triggers, and descriptions remain unchanged.
v1.0.1
tencent-agent-storage 1.0.1
- No code changes in this release.
- Updated description: "专属云盘" is now described as "专属网盘" (exclusive cloud drive) in the English summary for clarity; all other workflow, triggers, and technical details remain unchanged.
v1.0.0
tencent-agent-storage v1.0.0
- Initial release of Tencent Agent Storage skill for personal cloud file management.
- Enables file upload, download, preview, backup, and sharing within Tencent Agent Storage (专属云盘).
- Automatically triggers when users mention cloud drive, file listing, upload/backup, sharing links, file status, or similar scenarios.
- Upload script supports large files (no size limit), smart conflict handling (ask/overwrite/rename), and credential flexibility.
- All actions output direct download links with a 2-hour validity, supporting delivery across devices.
元数据
常见问题
Tencent Agent Storage 是什么?
Cloud file storage, upload, backup, and file management tool for Tencent Agent Storage (专属网盘). Manages the user's personal cloud drive: upload files, list fi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 750 次。
如何安装 Tencent Agent Storage?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tencent-agent-storage」即可一键安装,无需额外配置。
Tencent Agent Storage 是免费的吗?
是的,Tencent Agent Storage 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tencent Agent Storage 支持哪些平台?
Tencent Agent Storage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tencent Agent Storage?
由 ShawnmZhang(@shawnminh)开发并维护,当前版本 v1.0.13。
推荐 Skills