Architecture SLA Tracker by CloudQ
Security checks across malware telemetry and agentic risk
Overview
This skill mostly matches its Tencent Cloud Advisor purpose, but it asks for powerful cloud credentials and roles while including broad API and unsafe TLS behavior that users should review first.
Install only if you are comfortable granting Tencent Cloud credentials and reviewing IAM changes. Use least-privilege or temporary keys, do not approve role creation unless you accept QcloudTAGFullAccess and QcloudAdvisorFullAccess, avoid sharing generated console login links, and ask the publisher to fix TLS verification and narrow the API helper before production use.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused by a prompt or agent workflow, this helper could call non-Advisor Tencent Cloud APIs, including write operations, as far as the user's AK/SK permissions allow.
The helper accepts arbitrary service, host, action, version, and payload values, then signs the request with the user's Tencent Cloud credentials rather than enforcing the Advisor-only actions described in SKILL.md.
python3 tcloud_api.py <service> <host> <action> <version> [payload] [region]
Restrict the helper to an explicit allowlist of required Advisor/CAM/STS actions and require clear user confirmation for any write or IAM operation.
Approving role creation can grant broader cloud-account authority than simply viewing Advisor results, including tag write access and full Advisor access through generated console-login links.
The role-creation script attaches full-access Tag and Advisor policies to a persistent console-login CAM role.
POLICY_NAMES = ["QcloudTAGFullAccess", "QcloudAdvisorFullAccess"]
Use a least-privilege custom policy limited to the exact read-only Advisor APIs needed, avoid QcloudTAGFullAccess unless strictly required, and review/delete the CAM role after use.
Users may approve powerful IAM changes under the mistaken belief that the role is read-only and limited to harmless viewing.
The documentation describes a FullAccess policy as read-only and says it does not affect other cloud resources, while later instructions and create_role.py show full Advisor access plus QcloudTAGFullAccess.
将关联策略 `QcloudAdvisorFullAccess`(智能顾问只读访问权限,不影响其他云资源)
Correct the permission description, explicitly disclose all policies attached, and explain what resources each policy can read or modify before asking for approval.
On systems without certifi, a network attacker could potentially intercept or tamper with Tencent Cloud API/STS traffic, including temporary credentials or login-link material.
The API helper disables hostname and certificate verification in its fallback SSL context, and similar logic is also reported in login_url.py.
ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE
Fail closed if a trusted CA bundle is unavailable, require certifi or a system CA store, and never set ssl.CERT_NONE for credentialed cloud API calls.
The skill may check updates or present identity/version information for a different slug than the one the user installed.
The local metadata differs from the supplied registry metadata for this review, which lists slug arch-sla-cloudq and version 1.0.0; check_env.py uses the local slug for remote version checks.
"slug": "cloudq-sre", "version": "1.4.0"
Ask the publisher to align registry metadata, _meta.json, SKILL.md name, and update-check slug before relying on automatic version guidance.
Anyone or any process with access to those shell configuration files may be able to recover the cloud API credentials.
The skill instructs users to persist Tencent Cloud SecretId and SecretKey in shell startup files, which is expected for this integration but stores long-lived cloud credentials locally.
环境变量必须永久写入 shell 配置文件
Prefer least-privilege or temporary credentials, protect shell config file permissions, and rotate keys if they may have been exposed.