Cloudbase
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill is mostly coherent CloudBase guidance, but it can lead an agent to change CloudBase auth and AI-model settings without consistently requiring explicit user approval.
Review before installing if you will let the agent operate against a real CloudBase account. Use a least-privileged account, verify the EnvId, and require explicit approval before any auth-provider, AI-model, billing-related, database, deployment, or other CloudBase mutation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change login/provider settings in the user’s CloudBase environment while implementing an app flow.
This directs the agent toward CloudBase management tools and provider enablement as part of the default workflow, but does not clearly require explicit user confirmation before changing auth/provider settings.
Use MCP or mcporter first for CloudBase management tasks, and inspect tool schemas before execution. ... If the task includes login, registration, or auth configuration, read `auth-tool` first and enable required providers before frontend implementation.
Require a read-only check first, show the exact proposed configuration change and EnvId, and obtain explicit user confirmation before any `manageAppAuth` or `callCloudApi` mutation.
The agent could enable billable AI resources or unintentionally alter the set of enabled models used by other CloudBase apps in the same environment.
Updating AI model configuration is a paid, environment-wide mutation, and the full-replacement model list could affect other applications if performed without a confirmed diff and rollback plan.
ModelChargingInfo includes input / output prices and billing unit. Surface the prices to the user before enabling. Then enable (note: `Models` is a **full replacement** — always resend the already-enabled models together with the new one)
Before `UpdateAIModel`, show current models, proposed models, pricing, and consequences, then require explicit approval and preserve a rollback copy of the previous configuration.
The agent may operate with the user’s CloudBase management privileges.
The skill expects an authenticated CloudBase management context and can use temporary credentials; this is expected for CloudBase management but is sensitive authority.
`auth`: MCP / management-side login only. Use it for `status`, `start_auth`, `set_env`, `logout`, and `get_temp_credentials`.
Use the least-privileged account/environment possible, verify the selected EnvId, and avoid exposing or logging temporary credentials.
If the local references are unavailable, the agent could rely on remote documentation that may change after this review.
The package includes local references, but the fallback points to mutable raw files on a `main` branch rather than pinned content.
CloudBase main entry: `https://cnb.cool/tencent/cloud/cloudbase/cloudbase-skills/-/git/raw/main/skills/cloudbase/SKILL.md` ... Sibling skill pattern: `https://cnb.cool/.../git/raw/main/skills/cloudbase/references/<skill-id>/SKILL.md`
Prefer the packaged local reference files, or pin remote fallbacks to a trusted commit or signed release.