← 返回 Skills 市场
Tencent Cloud COS
作者
jason-aka-chen
· GitHub ↗
· v1.0.0
· MIT-0
132
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tencent-cos-chen
功能描述
Tencent Cloud Object Storage (COS) and Data万象 (CI) integration skill. Use this when you need to upload, download, and manage cloud storage files, or perform...
安全使用建议
This skill appears to be a legitimate COS integration, but exercise caution before running its setup script. The setup script will persist your Tencent SecretId/SecretKey and other settings into shell startup files (~/.bashrc or ~/.zshrc), into ~/.mcporter/mcporter.json (it may embed secrets into command args), and may configure ~/.cos.conf via coscmd — all in clear text. Recommendations before installing:
- Only provide a dedicated, least-privileged API key (SecretId/SecretKey) scoped to the specific bucket and actions required; avoid using your primary account keys.
- Inspect scripts/setup.sh and references/config_template.json yourself; consider running setup steps manually rather than the script so you control what is written and where.
- Prefer exporting credentials to a session or a dedicated credential file with restricted permissions (chmod 600) rather than adding them to shell rc.
- Be cautious about global npm installs (mcporter) and npx: they run third-party code. Consider installing packages locally in an isolated environment or container.
- After setup, verify ~/.mcporter/mcporter.json and ~/.cos.conf to confirm exactly what was written; remove secrets when no longer needed.
- If unsure about the package author (source is unknown), avoid running automated install and instead use official Tencent tools or create your own minimal scripts that use the official SDK.
What would change this assessment: if the skill metadata declared required env vars and primary credential up front, and if the setup script provided a non-persistent option (e.g., use environment-only or local config with restricted permissions rather than writing to shell rc), the concerns about transparency and persistence would be reduced.
能力评估
Purpose & Capability
The skill's name/description match the code and tools (cos-mcp, cos-nodejs-sdk, coscmd) and those are appropriate for COS operations. However the registry metadata declares no required environment variables or primary credential, while the runtime scripts clearly require Tencent COS credentials (SecretId/SecretKey/Region/Bucket). This metadata mismatch reduces transparency.
Instruction Scope
SKILL.md and scripts instruct the agent to run scripts/setup.sh which: installs node packages, installs/configures mcporter, writes credentials into ~/.mcporter/mcporter.json (embedding secrets into args), writes exports into ~/.bashrc or ~/.zshrc, and optionally configures coscmd (~/.cos.conf). These instructions go beyond transient usage: they persist secrets in multiple user config files and modify shell startup files. While these actions enable future COS operations, they are intrusive and broaden exposure of credentials.
Install Mechanism
The install uses npm packages (cos-mcp, cos-nodejs-sdk-v5, mcporter) and may perform global npm install -g mcporter. This is a typical delivery mechanism for Node-based tools (moderate risk). The scripts also rely on npx (which executes package code on demand). No arbitrary download URLs or unknown remote binaries were found, but global installs and npx usage can execute third-party code and should be considered when evaluating trust.
Credentials
The functionality legitimately requires Tencent COS credentials, so asking for SecretId/SecretKey/Region/Bucket is proportional. However the skill's declared requirements list zero env vars (manifest omission). More importantly, the setup persists these credentials into shell rc, mcporter config, and coscmd config in clear text — increasing the blast radius and violating least privilege principles unless the user provides dedicated limited-privilege keys.
Persistence & Privilege
The setup script makes persistent system changes: adding export lines to ~/.bashrc or ~/.zshrc, creating/updating ~/.mcporter/mcporter.json (embedding secrets in args), and configuring ~/.cos.conf via coscmd. It also attempts global npm installs. The skill is not 'always:true', but it requests persistent presence and writes secrets to files that other processes or users could access. This persistent modification is significant and should be explicitly consented to by the user.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tencent-cos-chen - 安装完成后,直接呼叫该 Skill 的名称或使用
/tencent-cos-chen触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Updated description to English
元数据
常见问题
Tencent Cloud COS 是什么?
Tencent Cloud Object Storage (COS) and Data万象 (CI) integration skill. Use this when you need to upload, download, and manage cloud storage files, or perform... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 132 次。
如何安装 Tencent Cloud COS?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tencent-cos-chen」即可一键安装,无需额外配置。
Tencent Cloud COS 是免费的吗?
是的,Tencent Cloud COS 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tencent Cloud COS 支持哪些平台?
Tencent Cloud COS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tencent Cloud COS?
由 jason-aka-chen(@jason-aka-chen)开发并维护,当前版本 v1.0.0。
推荐 Skills