Tencent Cloud CVM

Type: OpenClaw Skill Name: tencentcloud-cvm-skill Version: 1.0.2 The skill is classified as suspicious due to the use of `sshpass` for password-based SSH authentication and the disabling of SSH host key checking (`StrictHostKeyChecking=no`, `UserKnownHostsFile=/dev/null`) in `scripts/common.sh` and various `scripts/ops/*.sh` files. While these are risky, they are explicitly documented as part of an O&M toolset. The skill also stores instance passwords locally in `~/.tencent_cvm_passwords` (with `chmod 600`), which is sensitive. However, the `SKILL.md` explicitly states that 'write operations' require 'manual confirmation', and `scripts/ops/remote-exec.sh` implements a robust whitelist/blacklist to prevent arbitrary command execution, command chaining, and remote payload execution, indicating an intent to control and limit potentially harmful actions rather than enable them maliciously. There is no evidence of intentional data exfiltration to external endpoints, persistence mechanisms, or prompt injection against the agent.