Tencent Cloud TIONE
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent read-only Tencent Cloud TI-ONE query skill, but it needs Tencent Cloud API keys and can return sensitive cloud logs and resource details.
Before installing, confirm you are comfortable giving the skill Tencent Cloud read access through API keys. Prefer a dedicated least-privileged read-only key, install dependencies from trusted package sources, and be careful when asking it to retrieve logs or service call information because those outputs may contain sensitive details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can view TI-ONE resources and related cloud information allowed by the provided Tencent Cloud credentials.
The skill requires Tencent Cloud API credentials to access the user's cloud account. This is expected for the Tencent Cloud query purpose, but those keys may carry broad account privileges if not scoped carefully.
使用环境变量中的凭证(`TENCENTCLOUD_SECRET_ID` / `TENCENTCLOUD_SECRET_KEY`)进行身份认证。
Use a least-privileged Tencent Cloud key limited to the needed TI-ONE read-only Describe permissions, and avoid using administrator or broadly scoped keys.
User requests can cause the agent to query Tencent Cloud through tccli and return cloud metadata or logs.
The scripts invoke the Tencent Cloud CLI with parameters. The provided wrappers use fixed Describe-style actions and quoted argument arrays, making this purpose-aligned rather than evidence of unsafe shell behavior.
result=$(tccli tione "$action" --region "$region" "${extra_args[@]}" 2>&1)Keep usage to the listed scripts and review requested resource IDs, regions, and filters before querying broad account data.
Installation will rely on the package sources available in the user's environment.
The skill depends on external package-manager installs and does not pin exact package versions in the artifact. This is common for CLI-based integrations but is still a supply-chain consideration.
pip3 install tccli apt install jq
Install tccli and jq from trusted repositories, consider pinning versions in managed environments, and avoid untrusted mirrors.
Sensitive log contents may appear in the conversation or downstream agent context.
The skill can retrieve cloud logs and print them into the agent context. Logs may contain operational details, identifiers, endpoints, or accidental secrets, although the artifacts do not show persistence or exfiltration.
result=$(call_tione_api "DescribeLogs" "$region" "${extra_args[@]}")
format_json "$result"Query narrow time ranges and specific resources, avoid sharing returned logs unnecessarily, and redact secrets or sensitive payloads before reuse.