ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tencent Cloud CVM

腾讯云 CVM 云服务器运维工具集

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 1.8k · 1 current installs · 1 all-time installs
bygarden@GardenChan
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and many scripts clearly require Tencent Cloud API credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY) and SSH passwords, but the registry metadata declares no required environment variables or primary credential. That mismatch is unexpected and incoherent: a CVM tool should declare it needs cloud credentials.
!
Instruction Scope
SKILL.md instructs the user to export Tencent Cloud credentials and to install tccli/jq/sshpass. The included scripts then use those credentials and also persist instance passwords to a local file ($HOME/.tencent_cvm_passwords). Scripts print and store plaintext passwords, run remote commands that can read sensitive files (e.g., /etc/passwd, env, logs), and support service management (systemctl start/stop/etc.). Although SKILL.md claims write operations require manual confirmation, the scripts provide direct mechanisms for potentially destructive actions (service-manage.sh) and store secrets on disk and stdout — this broad data handling is beyond a simple query-only tool and should be considered sensitive.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle includes 29+ scripts and assets that will be executed locally. SKILL.md tells the user how to install dependencies (pip, apt, brew) but the package does not automatically install anything. Absence of an install step is not malicious by itself, but the presence of many executable scripts means installing/running them will write to disk and persist secrets.
!
Credentials
The code expects and requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (check_credentials in scripts/common.sh, and SKILL.md shows them as required), yet the skill metadata lists no required env vars. The scripts also create and read a local password file (CVM_PASSWORD_FILE defaulting to ~/.tencent_cvm_passwords) and sometimes print passwords to the console. Requesting cloud API keys and storing instance passwords is functionally necessary for a CVM ops tool, but the omission from metadata and the insecure handling (plaintext storage and stdout exposure) are disproportionate and risky if you don't control where/how the skill runs.
Persistence & Privilege
The skill persists instance passwords to a file in the user's home and creates/updates that file (init_password_file, save_instance_password, update_instance_host). always:false and no automatic autonomous invocation are good, but the skill will leave sensitive data on disk and print it to logs — review file permissions and consider moving to a secure secrets store. The skill does not modify other skills or system-wide agent settings.
What to consider before installing
This package is a full CLI/bash toolkit for Tencent Cloud CVM and will require your Tencent API keys and instance passwords to work — but the registry metadata did not declare those requirements. Before installing or running it: 1) Verify the source and trustworthiness of this bundle (no homepage provided). 2) Inspect the scripts locally (they are included) and confirm you are comfortable with plaintext password storage at ~/.tencent_cvm_passwords and the fact that scripts print passwords to stdout. 3) Prefer SSH key-based access over sshpass/passwords; if you must use passwords, restrict the password file (chmod 600) and consider storing secrets in a dedicated secret manager. 4) Be aware scripts can perform service management (systemctl) and file transfers — run them manually and avoid granting broad automation privileges. 5) If you expect the skill to be used by an agent, ensure the agent is not allowed to auto-run destructive operations; the metadata omission of required env vars should be corrected by the author before trusting automated workflows.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk979h7vws1ahza9zw4gerz7s0s80n0b1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

腾讯云 CVM 运维工具

基于 Bash + tccli 的腾讯云 CVM 云服务器运维工具集,支持实例创建资源查询服务器运维三大核心功能。

快速开始

1. 安装依赖

# tccli(腾讯云命令行工具)
pip3 install tccli

# jq(JSON 解析)
brew install jq        # macOS
apt install jq         # Ubuntu

# sshpass(SSH 密码认证,运维操作需要)
brew install hudochenkov/sshpass/sshpass   # macOS
apt install sshpass                         # Ubuntu

2. 配置凭证

export TENCENTCLOUD_SECRET_ID="your-secret-id"
export TENCENTCLOUD_SECRET_KEY="your-secret-key"

3. 典型工作流

# 1. 查询资源准备创建实例
./scripts/query/describe-zones.sh                    # 查可用区
./scripts/query/describe-images.sh --platform Ubuntu # 查镜像
./scripts/query/describe-vpcs.sh                     # 查 VPC

# 2. 创建实例(密码自动保存)
./scripts/lifecycle/create-instance.sh \
  --zone ap-guangzhou-3 \
  --instance-type S5.MEDIUM2 \
  --image-id img-xxx \
  --vpc-id vpc-xxx \
  --subnet-id subnet-xxx \
  --sg-id sg-xxx

# 3. 更新实例 IP
./scripts/utils/update-instance-ip.sh --instance-id ins-xxx --auto

# 4. 运维操作(只需 instance-id)
./scripts/ops/ssh-connect.sh --instance-id ins-xxx
./scripts/ops/system-info.sh --instance-id ins-xxx

功能模块

scripts/
├── lifecycle/    # 实例生命周期:创建、启动、停止、重启、销毁
├── query/        # 资源查询:实例、镜像、VPC、子网、安全组、可用区
├── ops/          # 服务器运维:SSH、远程执行、系统信息、磁盘、进程、服务、日志、安全、传输、网络
├── utils/        # 辅助工具:密码管理、IP 更新、配置查看
└── common.sh     # 公共函数库

实例生命周期

脚本功能示例
recommend-instance.sh场景推荐创建--scene blog-small
create-instance.sh手动创建实例--zone ap-guangzhou-3 --instance-type S5.MEDIUM2
start-instance.sh启动实例--instance-id ins-xxx
stop-instance.sh停止实例--instance-id ins-xxx [--force]
reboot-instance.sh重启实例--instance-id ins-xxx
terminate-instance.sh销毁实例--instance-id ins-xxx

场景推荐

根据使用场景自动推荐配置:

./scripts/lifecycle/recommend-instance.sh --scene blog-small    # 个人博客
./scripts/lifecycle/recommend-instance.sh --scene web-medium    # 中型Web应用
./scripts/lifecycle/recommend-instance.sh --list-scenes         # 查看所有场景
场景适用配置
blog-small个人博客 (日PV<5K)1核1G
blog-medium中型博客 (日PV 5K-50K)2核4G
web-small小型Web (日PV<10K)2核2G
web-medium中型Web (日PV 10K-100K)4核8G
api-small小型API (QPS<100)2核4G
dev开发测试2核2G
database-small小型数据库2核4G + 50G数据盘

资源查询

脚本功能常用参数
describe-regions.sh查询地域--available
describe-instances.sh查询实例--instance-id, --name
describe-zones.sh查询可用区--region
describe-instance-types.sh查询机型--zone, --family, --type
describe-images.sh查询镜像--instance-type, --platform
describe-vpcs.sh查询 VPC--vpc-id
describe-subnets.sh查询子网--vpc-id, --zone
describe-security-groups.sh查询安全组--sg-id, --name

服务器运维

优先级策略:运维操作优先使用 ops 脚本(SSH + 密码直连执行),仅在脚本无法满足需求时才使用 tccli 接口调用。

安全限制:ops 目录仅使用已有的预定义脚本,不支持动态生成新脚本。

重要原则:运维写操作(如停止、重启、销毁实例,服务管理,文件传输等)需要人工确认后执行。

所有运维脚本只需 --instance-id 即可自动获取密码和 IP

脚本功能特殊参数
ssh-connect.shSSH 连接--port
remote-exec.sh远程命令(仅支持预定义安全命令)--cmd <command>
system-info.sh系统信息-
disk-usage.sh磁盘检查--threshold <n>
process-monitor.sh进程监控--top <n>, --filter
service-manage.sh服务管理--service, --action
log-viewer.sh日志查看--file, --lines, --follow
security-check.sh安全检查-
file-transfer.sh文件传输--upload/--download, --local, --remote
network-check.sh网络检查--target

remote-exec 安全命令集

remote-exec.sh 仅支持以下预定义的只读命令或 ops 目录下的脚本:

分类命令用途
系统信息uptime系统运行时间和负载
uname -a内核和系统信息
hostname主机名
cat /etc/os-release操作系统版本
date系统时间
timedatectl时区和时间同步状态
CPUcat /proc/loadavg系统负载
top -bn1 | head -20CPU 和进程概览
mpstatCPU 使用统计
nprocCPU 核数
lscpuCPU 详细信息
内存free -h内存使用情况
cat /proc/meminfo内存详细信息
vmstat虚拟内存统计
磁盘df -h磁盘使用情况
df -iinode 使用情况
lsblk块设备列表
fdisk -l磁盘分区信息
du -sh <path>目录大小
进程ps aux进程列表
ps aux | head -20前 20 个进程
pgrep <name>按名称查找进程
pidof <name>获取进程 PID
网络ip addr网络接口信息
ip route路由表
netstat -tlnpTCP 端口监听
ss -tlnp套接字统计
ping -c 4 <host>网络连通性测试
curl -I <url>HTTP 头信息
dig <domain>DNS 解析
traceroute <host>路由追踪
服务systemctl status <service>服务状态
systemctl is-active <service>服务是否运行
systemctl list-units --type=service服务列表
日志tail -n 100 <logfile>查看日志末尾
head -n 100 <logfile>查看日志开头
journalctl -u <service> -n 100服务日志
dmesg | tail -50内核日志
安全who当前登录用户
w用户活动
last -n 20登录历史
cat /etc/passwd用户列表
cat /etc/group用户组列表
其他env环境变量
crontab -l定时任务列表
docker psDocker 容器列表
docker imagesDocker 镜像列表
scripts/ops/*.shops 目录下的预定义运维脚本

辅助工具

脚本功能
show-defaults.sh查看当前配置
get-password.sh获取实例密码
update-instance-ip.sh更新实例 IP
manage-passwords.sh管理密码存储

配置

环境变量

变量说明默认值
TENCENTCLOUD_SECRET_IDAPI 密钥 ID必需
TENCENTCLOUD_SECRET_KEYAPI 密钥 Key必需
TENCENT_CVM_DEFAULT_REGION默认地域ap-guangzhou
TENCENT_CVM_DEFAULT_ZONE默认可用区-
TENCENT_CVM_DEFAULT_INSTANCE_TYPE默认机型-
TENCENT_CVM_DEFAULT_IMAGE_ID默认镜像-
TENCENT_CVM_DEFAULT_VPC_ID默认 VPC-
TENCENT_CVM_DEFAULT_SUBNET_ID默认子网-
TENCENT_CVM_DEFAULT_SG_ID默认安全组-
TENCENT_CVM_DEFAULT_DISK_SIZE系统盘大小20
TENCENT_CVM_DEFAULT_CHARGE_TYPE计费类型POSTPAID_BY_HOUR

支持的地域

ap-beijing | ap-shanghai | ap-guangzhou | ap-chengdu | ap-nanjing | ap-hongkong

支持的镜像平台

TencentOS | CentOS | Ubuntu | Debian

SSH 登录用户名

系统默认用户名示例
Ubuntuubuntussh ubuntu@<ip>
其他 Linux (TencentOS, CentOS, Debian)rootssh root@<ip>

密码存储

创建实例时自动生成密码并保存到 ~/.tencent_cvm_passwords(权限 600):

{
  "ins-xxx": {
    "password": "aB3#xK9$mN2@pQ",
    "host": "1.2.3.4",
    "region": "ap-guangzhou",
    "created_at": "2026-02-06 15:30:00"
  }
}

管理命令:

./scripts/utils/manage-passwords.sh --list              # 列出所有
./scripts/utils/manage-passwords.sh --show ins-xxx      # 查看详情
./scripts/utils/manage-passwords.sh --delete ins-xxx    # 删除记录

安全说明

本工具集设计用于可信环境下的服务器运维,遵循以下安全原则:

  1. 预定义脚本:仅执行 scripts/ 目录下已审核的预定义脚本,禁止动态生成或执行任意代码
  2. 人工确认:所有写操作(停止、重启、销毁、文件传输等)必须经人工确认后执行
  3. 凭证安全:密码文件 ~/.tencent_cvm_passwords 权限为 600,仅限本地用户访问
  4. 操作审计:所有操作均有日志输出,便于追溯
  5. 使用场景:适用于开发测试环境,生产环境建议配合堡垒机使用

参考

Files

32 total
Select a file
Select a file to preview.

Comments

Loading comments…