Trust Assessment
tencent-cos received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 4 critical, 5 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.Popen(), Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencent-cloud-cos-skill/scripts/cos_wrapper.py:109 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:73 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:253 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start_mcp_server'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencent-cloud-cos-skill/scripts/cos_wrapper.py:109 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:73 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_example'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencent-cloud-cos-skill/test_skill.py:253 | |
| HIGH | Temporary file with sensitive credentials not deleted The `_call_mcp_tool` function creates a temporary JSON file containing `SecretId` and `SecretKey` using `tempfile.NamedTemporaryFile(delete=False)`. Since `delete=False` is specified, this file is not automatically deleted when closed or when the program exits. This leaves sensitive credentials on the filesystem, which could be accessed by other processes or users, leading to credential harvesting or data exfiltration. Ensure the temporary file containing sensitive credentials is securely deleted immediately after use. Change `delete=False` to `delete=True` if the file is not needed after the `with` block, or explicitly call `os.remove(config_file)` in a `finally` block if it needs to persist longer. | LLM | scripts/cos_wrapper.py:109 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/shawnminh/tencent-cloud-cos-skill/install.sh:153 | |
| MEDIUM | Third-party dependency `cos-mcp` is unpinned The skill's manifest and `install.sh` specify `npm install -g cos-mcp@latest`. Installing a package using `@latest` means that any future version of `cos-mcp` will be installed. If a malicious update to `cos-mcp` is published, it could compromise the skill and the system it runs on. Pinning to a specific major.minor.patch version (e.g., `cos-mcp@1.2.3`) or at least a major version (e.g., `cos-mcp@^1.0.0`) provides better control and reduces the risk of unexpected or malicious changes. Pin the `cos-mcp` dependency to a specific version (e.g., `cos-mcp@1.x.x`) or at least a major version range (e.g., `cos-mcp@^1.0.0`) to prevent unexpected or malicious updates. Regularly review and update the pinned version. | LLM | SKILL.md:44 | |
| MEDIUM | Command arguments constructed from environment variables The `_build_mcp_command` function constructs command-line arguments for `npx cos-mcp` using values directly from environment variables (e.g., `TENCENT_COS_REGION`, `TENCENT_COS_BUCKET`, `TENCENT_COS_SECRET_ID`, `TENCENT_COS_SECRET_KEY`, `TENCENT_COS_DATASET_NAME`). While `subprocess.Popen` is used with a list of arguments (mitigating shell injection), if an attacker can control these environment variables, they could inject crafted arguments that exploit vulnerabilities in `cos-mcp` or alter its behavior in unintended ways. This risk is inherent when external input (even if from environment variables) is used to build commands. Sanitize or validate all environment variable inputs used in command construction to ensure they conform to expected formats and do not contain malicious characters or unexpected command-line options. Consider using a dedicated configuration parsing library that handles argument escaping if `cos-mcp` supports it, or strictly whitelist allowed values. | LLM | scripts/cos_wrapper.py:79 | |
| LOW | Hardcoded test credentials in example and test files The `examples/basic_usage.py` and `test_skill.py` files, as well as the `clawdbot_config.json` template generated by `package_skill.sh`, contain hardcoded placeholder credentials (e.g., `AKIDxxxxxxxxxxxxxxxxxxxxxxxx`, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`, `test-secret-id`). While these are intended for testing/example purposes and the `SKILL.md` advises against hardcoding, their presence can lead to accidental deployment of sensitive information if users copy these patterns into production code or fail to replace them. Replace hardcoded credentials in example and test files with clear instructions for users to provide their own secure credentials (e.g., via environment variables or a secure configuration system). Consider using a dedicated test framework that injects mock credentials rather than setting them directly in the code. | LLM | examples/basic_usage.py:14 |
Scan History
Embed Code
[](https://skillshield.io/report/b2cc1841c4ebaa39)
Powered by SkillShield