Architecture Governance & Assessment

Before installing or running this skill: - Treat long‑lived AK/SK carefully: do not blindly follow the SKILL.md instruction to append SecretId/SecretKey to ~/.bashrc/.zshrc. Prefer using ephemeral STS tokens or exporting credentials only for the session where you run the tool. If you must use long‑lived keys, rotate them often and restrict their permissions. - Inspect create_role.py and scripts/cleanup.py to confirm the exact IAM actions and which policies will be attached. Do not consent to role creation until you understand the attached policies (ensure they follow least privilege). - Note an undeclared dependency: check_env.py calls the external 'clawhub' command for version checks. If you don't have or trust that tool, run check_env.py with --skip-update or run scripts in an isolated environment. - Run initial checks in a safe/test account (not production) to observe what APIs are called and what the role creation would do. Consider running in an isolated VM/container. - If you decide to proceed, avoid persisting secrets in shell rc; instead temporarily export them in-session or use a secure secrets manager. After use, clear any environment variables and inspect ~/.tencent-cloudq/config.json for what was written (it should contain only the role ARN per documentation). - If anything seems inconsistent (policy names, wording about read/write vs read-only), ask the publisher for clarifications or reject the skill. The skill's source/homepage is unknown — that reduces trustworthiness; prefer skills from known publishers or with public source repositories you can audit.