qiniu_object_storage Security Report — Trusted | ClawSafe

5 /100

qiniu_object_storage

Upload local files to Qiniu object storage, return public URL or signed private download URL

This is a legitimate Qiniu cloud storage upload utility that strictly adheres to its documented purpose with no malicious behavior detected.

Skill Nameqiniu_object_storage

Duration35.8s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 2 items

Severity	Finding	Location
Low	Minor logging writes not declared in SKILL.md Doc Mismatch common.py writes log files to OUTPUT_ROOT/outputs/logs/ containing timestamps, trace IDs, file names, and object keys. This filesystem:WRITE is not declared in SKILL.md metadata, though it is a benign side effect of the logging system. No credentials are logged. `log_dir = _get_output_root() / "outputs" / "logs"` → Add filesystem:WRITE to declared capabilities in SKILL.md metadata if log writing is considered an operational requirement.	`scripts/common.py:57`
Info	Usage reference mentions non-existent config file Sensitive Access references/usage.md references 'api_key/qiniu.json' but this file does not exist in the skill package. SKILL.md correctly states configuration is via environment variables only. `当 api_key/qiniu.json 中存在 "is_private": true` → Remove or correct the reference to api_key/qiniu.json in usage.md.	`references/usage.md:7`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	common.py:69 — POSTs to upload-z2.qiniup.com
Filesystem	`READ`	`READ+WRITE`	✓ Aligned	common.py:57 — writes logs to OUTPUT_ROOT/outputs/logs/
Shell	`NONE`	`NONE`	—	No subprocess or os.system calls found
Environment	`READ`	`READ`	✓ Aligned	common.py:78-82 — reads QINIU_* vars only

1 findings

🔗

Medium External URL 外部 URL

https://upload-z2.qiniup.com

scripts/common.py:69

6 files · 18.2 KB · 598 lines

Python 3f · 465L Markdown 2f · 129L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 430 B

├─ ▾ 📁 references

│ └─ 📝 usage.md Markdown 48L · 1.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 common.py Python 265L · 7.7 KB

│ ├─ 🐍 generate_private_download_url.py Python 69L · 1.8 KB

│ └─ 🐍 upload_file.py Python 131L · 3.9 KB

└─ 📝 SKILL.md Markdown 81L · 3.0 KB

Package	Version	Source	Known Vulns	Notes
`(stdlib only)`	`N/A`	Python 3 standard library	No	No third-party packages installed

✓ Uses only Python standard library — no third-party dependencies, minimal supply chain risk

✓ No subprocess, os.system, or shell execution — all logic is in-process Python

✓ No obfuscation (no base64 decode+exec, no eval, no dynamic code loading)

✓ QINIU credentials used exclusively for HMAC-SHA1 token signing and never leave the process

✓ Network requests limited to Qiniu's official upload API endpoint

✓ Credential keys (access_key, secret_key) are not logged or exposed in output JSON

✓ SKILL.md accurately describes the skill's scope, inputs, and behavior

✓ File input is validated — FileNotFoundError raised if path does not exist

✓ Args validation (expires-in > 0) prevents DoS via negative time values