Trust Assessment
tencent-cos received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 13 findings: 5 critical, 5 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.Popen(), Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings13
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos-skill/scripts/cos_wrapper.py:109 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:73 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:253 | |
| CRITICAL | Tencent COS Secret Keys written to un-deleted temporary file The `TencentCOSWrapper._call_mcp_tool` method creates a temporary JSON file containing `SecretId` and `SecretKey`. This file is created using `tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False)`. The `delete=False` argument explicitly prevents the file from being automatically deleted when closed. There is no explicit code shown to delete this file, meaning sensitive credentials are left on the filesystem indefinitely, posing a severe security risk if the file is accessed by unauthorized entities. Change `delete=False` to `delete=True` if the file is only needed temporarily and can be deleted immediately after use. If the file must persist for a short duration, ensure it is created with restricted permissions (e.g., `os.umask(0o077)` before creation) and explicitly deleted using `os.remove(config_file)` as soon as it is no longer needed. Prefer passing credentials via environment variables or secure memory mechanisms instead of writing them to disk. | LLM | scripts/cos_wrapper.py:120 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start_mcp_server'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos-skill/scripts/cos_wrapper.py:109 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:73 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_example'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos-skill/test_skill.py:253 | |
| HIGH | Tencent COS Secret Keys exposed in process list The `TencentCOSWrapper._build_mcp_command` method constructs a command to execute `npx cos-mcp`. It passes `TENCENT_COS_SECRET_ID` and `TENCENT_COS_SECRET_KEY` directly as command-line arguments (`--SecretId=...`, `--SecretKey=...`). When `subprocess.Popen` is used to execute this command, these sensitive credentials can be visible in the system's process list (e.g., via `ps aux` on Linux/macOS) to other users or processes on the same system, leading to potential credential compromise. Pass sensitive credentials to `cos-mcp` via environment variables or a secure configuration file that is not world-readable, rather than command-line arguments. If `cos-mcp` only supports command-line arguments, consider using a more secure method of inter-process communication or a wrapper that sanitizes process arguments. | LLM | scripts/cos_wrapper.py:70 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/shawnminh/tencentcloud-cos-skill/install.sh:153 | |
| MEDIUM | Unpinned `cos-mcp` dependency in installation script The `install.sh` script uses `npm install -g cos-mcp@latest` to install the `cos-mcp` package. While `@latest` specifies the most recent version, it does not pin to a specific, immutable version. This introduces a supply chain risk where a future `latest` version could be compromised or introduce breaking changes, leading to unexpected behavior or security vulnerabilities without explicit user action. Pin the `cos-mcp` dependency to a specific, known-good version (e.g., `npm install -g cos-mcp@1.2.3`). Regularly review and update the pinned version to benefit from security patches and new features. | LLM | install.sh:79 | |
| LOW | Hardcoded placeholder credentials in documentation and configuration examples The `SKILL.md` documentation and the `clawdbot_config.json` example generated by `package_skill.sh` and `install.sh` contain placeholder credentials (`AKIDxxxxxxxxxxxxxxxxxxxxxxxx`, `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`). While these are placeholders, presenting them directly in configuration examples can inadvertently encourage users to hardcode their actual credentials in similar files, which is an insecure practice. The skill's Python wrapper correctly reads from environment variables, but the documentation suggests an alternative, less secure method. Emphasize the use of environment variables for sensitive credentials in all documentation and examples. If configuration files are shown, use clear indicators that credentials should be loaded from secure sources (e.g., `"${ENV_VAR_NAME}"` or `null` with a note to use environment variables). | LLM | SKILL.md:50 |
Scan History
Embed Code
[](https://skillshield.io/report/e6bfb12211a68f16)
Powered by SkillShield