qiniu_object_storage 安全扫描报告 — 可信 | ClawSafe

5 /100

qiniu_object_storage

Upload local files to Qiniu object storage, return public URL or signed private download URL

This is a legitimate Qiniu cloud storage upload utility that strictly adheres to its documented purpose with no malicious behavior detected.

技能名称qiniu_object_storage

分析耗时35.8s

引擎pi

✓

可以安装

No action needed. The skill is safe to use.

安全发现 2 项

严重性	安全发现	位置
低危	Minor logging writes not declared in SKILL.md 文档欺骗 common.py writes log files to OUTPUT_ROOT/outputs/logs/ containing timestamps, trace IDs, file names, and object keys. This filesystem:WRITE is not declared in SKILL.md metadata, though it is a benign side effect of the logging system. No credentials are logged. `log_dir = _get_output_root() / "outputs" / "logs"` → Add filesystem:WRITE to declared capabilities in SKILL.md metadata if log writing is considered an operational requirement.	`scripts/common.py:57`
提示	Usage reference mentions non-existent config file 敏感访问 references/usage.md references 'api_key/qiniu.json' but this file does not exist in the skill package. SKILL.md correctly states configuration is via environment variables only. `当 api_key/qiniu.json 中存在 "is_private": true` → Remove or correct the reference to api_key/qiniu.json in usage.md.	`references/usage.md:7`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	common.py:69 — POSTs to upload-z2.qiniup.com
文件系统	`READ`	`READ+WRITE`	✓ 一致	common.py:57 — writes logs to OUTPUT_ROOT/outputs/logs/
命令执行	`NONE`	`NONE`	—	No subprocess or os.system calls found
环境变量	`READ`	`READ`	✓ 一致	common.py:78-82 — reads QINIU_* vars only

1 项发现

🔗

中危外部 URL 外部 URL

https://upload-z2.qiniup.com

scripts/common.py:69

6 文件 · 18.2 KB · 598 行

Python 3f · 465L Markdown 2f · 129L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 430 B

├─ ▾ 📁 references

│ └─ 📝 usage.md Markdown 48L · 1.4 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 common.py Python 265L · 7.7 KB

│ ├─ 🐍 generate_private_download_url.py Python 69L · 1.8 KB

│ └─ 🐍 upload_file.py Python 131L · 3.9 KB

└─ 📝 SKILL.md Markdown 81L · 3.0 KB

包名	版本	来源	已知漏洞	备注
`(stdlib only)`	`N/A`	Python 3 standard library	否	No third-party packages installed

✓ Uses only Python standard library — no third-party dependencies, minimal supply chain risk

✓ No subprocess, os.system, or shell execution — all logic is in-process Python

✓ No obfuscation (no base64 decode+exec, no eval, no dynamic code loading)

✓ QINIU credentials used exclusively for HMAC-SHA1 token signing and never leave the process

✓ Network requests limited to Qiniu's official upload API endpoint

✓ Credential keys (access_key, secret_key) are not logged or exposed in output JSON

✓ SKILL.md accurately describes the skill's scope, inputs, and behavior

✓ File input is validated — FileNotFoundError raised if path does not exist

✓ Args validation (expires-in > 0) prevents DoS via negative time values