ClawHub

Tencent Cloud Log Service

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed helper for querying Tencent Cloud CLS logs, with expected credential and local export risks but no hidden or destructive behavior in the artifact.

Install this only if you intend to let an agent query Tencent Cloud CLS logs. Use a dedicated least-privilege Tencent Cloud key, verify the third-party clscli Homebrew tap/source, keep regions/topics/time ranges explicit, and write exported logs only to protected locations because they may contain secrets or user data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to export long-lived Tencent Cloud secret credentials but does not warn about protecting them, avoiding shell history leakage, or preferring least-privilege/ephemeral credentials. Because this skill is specifically for querying cloud logs, compromise of these credentials could enable unauthorized access to sensitive operational data or broader cloud resources depending on IAM scope.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation encourages writing query results to local files without warning that CLS query output may contain sensitive log data such as tokens, IPs, user identifiers, or application errors. This creates a local data persistence risk, especially on shared machines or in insecure working directories, but it is limited to what the user intentionally queried and stored.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill documents exporting log context to files without noting that surrounding log context often contains even more sensitive adjacent events than a single query result. This can unintentionally persist secrets or incident data locally, increasing exposure if the host is shared or compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal