baidu-cloud-bos Security Report — Trusted | ClawSafe

5 /100

baidu-cloud-bos

百度智能云对象存储(BOS)集成技能 - Baidu Cloud Object Storage integration

Legitimate Baidu Cloud Object Storage integration skill with clear documentation, proper credential handling, and no malicious behavior detected.

Skill Namebaidu-cloud-bos

Duration44.6s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning the SDK version in package.json for improved supply chain hygiene.

Findings 2 items

Severity	Finding	Location
Low	SDK version not pinned Supply Chain The @baiducloud/sdk dependency in package.json uses caret range ^1.0.7 instead of exact version pinning. While this is Baidu's official SDK, exact versions provide better reproducibility. `"@baiducloud/sdk": "^1.0.7"` → Change to "@baiducloud/sdk": "1.0.7" for exact version control	`package.json:7`
Info	Credential access is intentional and documented Credential Theft The skill requires Baidu Cloud credentials (AccessKeyId, SecretAccessKey) which are legitimately stored in ~/.config/openclaw/baidu-cloud-bos/credentials.json with 600 permissions. SKILL.md clearly documents this behavior. `将凭证持久化到 ~/.config/openclaw/baidu-cloud-bos/credentials.json` → No action needed - this is expected behavior for cloud storage integration	`SKILL.md:43`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: credentials stored to ~/.config/openclaw/
Network	`READ`	`READ`	✓ Aligned	SKILL.md: BOS API operations (upload/download/list)
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: setup.sh, bcecmd commands, npm install
Environment	`READ`	`READ`	✓ Aligned	bos_node.mjs:42 - reads BCE_* env vars for credentials
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation found

6 findings

🔗

Medium External URL 外部 URL

https://console.bce.baidu.com/iam/#/iam/accesslist

SKILL.md:35

🔗

Medium External URL 外部 URL

https://console.bce.baidu.com/bos/

SKILL.md:36

🔗

Medium External URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Djwvyrhiw

SKILL.md:86

🔗

Medium External URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/kmcn3zrup

SKILL.md:172

🔗

Medium External URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Ck1rymwdi）

scripts/setup.sh:60

🔗

Medium External URL 外部 URL

https://cloud.baidu.com/doc/BOS/s/Ck1rymwdi

scripts/setup.sh:173

File Tree

5 files · 36.2 KB · 1166 lines

Markdown 2f · 487L JavaScript 1f · 403L Shell 1f · 266L JSON 1f · 10L

├─ ▾ 📁 references

│ └─ 📝 api_reference.md Markdown 209L · 9.0 KB

├─ ▾ 📁 scripts

│ ├─ 📜 bos_node.mjs JavaScript 403L · 10.1 KB

│ └─ 🔧 setup.sh Shell 266L · 7.0 KB

├─ 📋 package.json JSON 10L · 226 B

└─ 📝 SKILL.md Markdown 278L · 9.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@baiducloud/sdk`	`^1.0.7`	npm	No	Official Baidu Cloud SDK, version range not pinned

Security Positives

✓ Clear and comprehensive SKILL.md documentation covering all operations

✓ Credentials validated with regex patterns before use (setup.sh lines 97-109)

✓ Credentials stored with 600 file permissions (chmod 600)

✓ Credentials read from env vars first, then config file fallback - follows security best practices

✓ No base64 encoding, obfuscation, or suspicious code patterns

✓ All network connections go to documented Baidu Cloud endpoints (bcebos.com)

✓ No exfiltration of credentials to third parties

✓ Input validation present for all user-provided parameters

✓ Dependency is Baidu's official SDK (@baiducloud/sdk)

✓ Error handling implemented throughout bos_node.mjs

✓ JSON structured output for all operations

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives