ClawHub

腾讯云APM性能分析skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tencent Cloud APM analysis helper that needs cloud credentials and network access, with some implementation risks users should handle carefully.

Install only if you intend to let the skill access Tencent Cloud APM with your credentials. Use a least-privilege Tencent Cloud subaccount, prefer environment variables over CLI secret flags, do not paste secrets into chat, and review or redirect the error log location if logs may contain sensitive operational details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [python_path] + script_args

    try:
        result = subprocess.run(cmd, check=False)
        return result.returncode
    except Exception as e:
        print(f"错误: 执行脚本失败: {e}")
Confidence
94% confidence
Finding
result = subprocess.run(cmd, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only Bash and Read, but its documented behavior clearly uses environment secrets, shell execution, and outbound network access to a remote Tencent Cloud APM MCP server. This mismatch weakens security review and permission gating, because operators may approve or run the skill without realizing it can access credentials and transmit data externally.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill simultaneously forbids creating files and instructs that errors are written to a local log file. This contradiction can cause agents or wrappers to violate the no-file-creation safety rule during failure handling, and error logs often become an unintended sink for sensitive operational data even if secrets are intended to be excluded.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code loads cloud credentials from environment variables and local credential files, which is sensitive capability beyond the stated APM-analysis purpose of the skill. In an agent-skill context, unnecessary credential discovery increases the risk of secret access and later misuse even if the code appears to come from a standard SDK helper.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file automatically queries instance metadata services and performs STS/OIDC role assumption, enabling acquisition of temporary cloud credentials from the runtime environment. In a skill advertised for APM analysis, these hidden cloud-auth flows materially expand privilege and make the skill more dangerous because it can obtain credentials without explicit user action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This helper provides a general-purpose Python script launcher unrelated to the narrow APM analysis functionality described in the skill metadata. In an agent setting, unnecessary execution primitives increase attack surface and enable capability expansion beyond the intended scope, making misuse easier if another component can invoke this helper with attacker-controlled arguments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes example code that embeds cloud credentials directly and demonstrates sending data to Tencent Cloud without any warning about secret handling, external transmission, or least-privilege use. In an agent skill context, this can normalize unsafe copy-paste behavior and cause users or downstream agents to expose secrets or unknowingly send potentially sensitive observability data to a third-party cloud endpoint.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accepts `--secret-id` and `--secret-key` as command-line parameters, which can expose secrets through shell history, process listings, audit logs, and job runner telemetry. While this is a common convenience feature, it creates a real credential exposure risk on multi-user systems and CI environments.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
"""

    def get_credential(self):
        self.secret_id = os.environ.get('TENCENTCLOUD_SECRET_ID')
        self.secret_key = os.environ.get('TENCENTCLOUD_SECRET_KEY')

        if self.secret_id is None or self.secret_key is None:
Confidence
96% confidence
Finding
os.environ.get('TENCENTCLOUD_SECRET

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def get_credential(self):
        self.secret_id = os.environ.get('TENCENTCLOUD_SECRET_ID')
        self.secret_key = os.environ.get('TENCENTCLOUD_SECRET_KEY')

        if self.secret_id is None or self.secret_key is None:
            return None
Confidence
96% confidence
Finding
os.environ.get('TENCENTCLOUD_SECRET_KEY

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal