Cloud Architecture Canvas
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Tencent Cloud advisor purpose, but it requests powerful cloud credentials/roles and disables HTTPS hostname checking in API scripts.
Before installing, use a restricted Tencent Cloud sub-account or temporary credentials, review the CAM role policies carefully, do not approve role creation unless you accept the full listed permissions, and wait for the HTTPS verification issue to be fixed if you will use this on a real cloud account.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Approving role creation may grant the skill-created role more Tencent Cloud authority than the user expects, including write capabilities.
The skill describes creating/using a CAM role for login links, but the listed policies include full Advisor access and full tag read/write access, which is broader than a narrow viewing/login workflow and contradicts the 'does not affect other cloud resources' assurance.
关联策略:`QcloudTAGFullAccess`(标签全读写权限)、`QcloudAdvisorFullAccess`(智能顾问全读写权限) ... 用途:仅用于生成控制台免密登录链接,不影响其他云资源
Use a dedicated low-privilege Tencent Cloud sub-account or custom least-privilege CAM policy, and do not approve role creation unless the exact permissions are acceptable.
A network attacker or misconfigured proxy could make the agent trust the wrong HTTPS endpoint, risking exposure or manipulation of cloud API traffic or login-link responses.
The static scan reports disabled HTTPS hostname checking in the Tencent Cloud API script, with the same pattern also flagged in the login URL script; these scripts handle signed API calls and login-related flows.
ctx.check_hostname = False
Do not use the skill until TLS certificate and hostname verification are restored; the scripts should use Python's default verified HTTPS context.
Anyone or any process that can read the user's shell profile may be able to recover long-lived Tencent Cloud credentials.
The skill openly requires Tencent Cloud AK/SK credentials and instructs users to persist them in shell profile files; this is purpose-aligned but sensitive.
**环境变量必须永久写入 shell 配置文件** ... `echo 'export TENCENTCLOUD_SECRET_KEY="your-secret-key"' >> ~/.bashrc`
Prefer short-lived credentials or a restricted sub-account, protect shell profile permissions, and rotate/revoke keys if the machine is shared or compromised.
Users have fewer ways to verify the publisher's source history or audit changes outside the registry package.
The artifact does not provide an upstream source or homepage, which limits independent provenance review for scripts that handle cloud credentials and IAM operations.
Source: unknown; Homepage: none
Install only if you trust the ClawHub publisher and review the included scripts before entering or approving cloud credentials.