AndonQ
Security checks across static analysis, malware telemetry, and agentic risk
Overview
AndonQ appears to be a real Tencent Cloud support integration, but its OAuth setup under-discloses how a reusable login code is handled and includes a non-HTTPS OAuth redirect.
Install only if you are comfortable authorizing AndonQ to access Tencent Cloud support/resource information. Prefer binding the temporary code locally in a terminal instead of pasting it into the AI chat, protect ~/.andonq/auth.json, and ask the publisher to clarify or fix the HTTP OAuth redirect and the credential-handling claims.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the code is only handled locally and by Tencent, while the setup flow exposes it to the AI conversation/tool invocation path.
The security statement says the temporary code is only stored locally and sent to the gateway, but the recommended workflow has the user disclose the raw code to the AI and includes it in a Bash command argument. That is a material under-disclosure for a credential-like value.
data_handling: "OAuth2 临时码仅保存在本地 ~/.andonq/auth.json...仅在调用 AndonQ 网关时通过 HTTPS 的 X-TANDON-CODE 请求头传输;不写入任何日志" ... "推荐让用户直接把临时码发给 AI,由 Skill 调用 CLI 一键保存" ... "python3 {baseDir}/scripts/andon_auth.py --save '<用户粘贴的内容>'"Prefer the interactive local terminal binding flow, or clearly warn users that pasting the code into the AI exposes it to the conversation/tool context. Avoid claiming the code is only transmitted to the gateway unless the setup flow guarantees that.
If the OAuth response or temporary code is delivered through that HTTP callback, it could be exposed on the network before being saved locally.
The OAuth authorization flow is built with a non-HTTPS redirect URL. Because the temporary code is later used for account-linked ticket/resource access and persisted locally, a cleartext OAuth callback is a credential-handling concern unless the publisher documents a compensating control.
AUTHORIZE_REDIRECT_URL = "http://andon.qq.com/oauth/aq/callback"
Use an HTTPS OAuth redirect URL or document why this HTTP callback cannot expose the authorization result. Users should only authorize on trusted networks and revoke/rebind the code if they suspect exposure.
The agent can run the provided local scripts and send user questions to Tencent's AndonQ endpoint when the skill is used.
The skill relies on Bash to run included Python helper scripts that call the AndonQ API. This is expected for the integration, but users should understand that questions are sent to the external service under their authorized account.
allowed-tools: Read,Write,Bash,Grep ... python3 {baseDir}/scripts/andon_sse_api.py '<question>' [session_id]Use the skill only for Tencent Cloud support/resource questions you intend to send to AndonQ, and review authorization prompts before providing a temporary code.
Anyone with access to the saved auth file or temporary code may be able to use the AndonQ integration until the code expires or is revoked.
The skill clearly discloses that it stores and reuses an OAuth temporary code to access Tencent Cloud support/resource information. This is purpose-aligned, but it is still account-linked authority.
用户在浏览器完成腾讯云账号授权后,把页面展示的临时码绑定到本地(`~/.andonq/auth.json`),后续调用接口时 Skill 自动将临时码放在 `X-TANDON-CODE` 请求头中发送,**在授权有效期内可跨会话复用**。
Protect ~/.andonq/auth.json, do not share the temporary code publicly, and reauthorize/revoke access if the code may have been exposed.