cloud-upload-backup Security Report — Trusted | ClawSafe

5 /100

cloud-upload-backup

Cloud file upload and backup tool. Upload local files to Tencent SMH cloud storage, generate download links and image previews.

Cloud file upload/backup tool using Tencent SMH. All capabilities are declared, credentials are scoped to smh_ prefix, network traffic is limited to api.tencentsmh.cn, and no malicious patterns were found.

Skill Namecloud-upload-backup

Duration31.7s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning smh-node-sdk to a specific version for reproducibility.

Findings 2 items

Severity	Finding	Location
Low	smh-node-sdk version not pinned SKILL.md instructs `npm install -g smh-node-sdk` without specifying a version, which could lead to unexpected updates. `npm install -g smh-node-sdk` → Pin to a specific version: npm install -g [email protected]	`SKILL.md:27`
Info	Access token embedded in download URL The generated download URL contains the raw access_token as a query parameter. This is standard SMH API behavior, but the URL is delivered to the user. `?access_token=${encodeURIComponent(accessToken)}` → This is expected SMH behavior; no action needed beyond not logging URLs publicly.	`SKILL.md:218`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ,WRITE`	`READ,WRITE`	✓ Aligned	SKILL.md: Reads local files for upload; writes /tmp/smh-upload.js
Network	`READ`	`READ`	✓ Aligned	SKILL.md: All API calls to api.tencentsmh.cn only
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Executes `node /tmp/smh-upload.js` commands
Environment	`READ`	`READ`	✓ Aligned	SKILL.md: Reads smh_* env vars from .env and openclaw.json
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke usage found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`NONE`	`NONE`	—	No database access found

3 findings

🔗

Medium External URL 外部 URL

https://api.tencentsmh.cn

SKILL.md:78

🔗

Medium External URL 外部 URL

https://api.tencentsmh.cn/api/v1/file/smhxxx/space-xxx/report.pdf?access_token=acctk...&ContentDisposition=attachment&Pu...

SKILL.md:183

🔗

Medium External URL 外部 URL

https://api.tencentsmh.cn/api/v1/file/smhxxx/space-xxx/photo.jpg?access_token=acctk...&ContentDisposition=attachment&Pur...

SKILL.md:190

File Tree

1 files · 23.2 KB · 628 lines

Markdown 1f · 628L

└─ 📝 SKILL.md Markdown 628L · 23.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`smh-node-sdk`	`*`	npm	No	Version not pinned — recommend pinning to specific version

Security Positives

✓ All script code is fully inline in SKILL.md — no dynamic download or external fetch

✓ Credential access is strictly scoped to smh_* prefixed variables only

✓ Network traffic is limited exclusively to api.tencentsmh.cn

✓ No base64 encoding, eval(), atob(), or obfuscated code found

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env for non-smh credentials

✓ No credential exfiltration or data theft patterns detected

✓ No reverse shell or C2 indicators

✓ No hidden instructions in HTML comments or metadata

✓ Script is purpose-limited: upload, info, and list only

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives