MigraQ

What to consider before installing: - Purpose fit: This skill appears to be what it says — a Tencent Cloud migration assistant that calls the CMG ChatCompletions endpoint and needs your Tencent AK/SK. - Main risk: SKILL.md tells users to persist SecretId/SecretKey in shell profile files (e.g., appending to ~/.zshrc). Storing long-lived AK/SK in plain text dotfiles is risky — prefer ephemeral or least-privilege credentials (short-lived STS tokens or a dedicated low-privilege account) and avoid committing dotfiles to VCS. - Inconsistencies to verify: the skill's front matter says AK/SK are "not written to file or log", yet instructions show echo >> to ~/.zshrc. The API docs file also contains an inaccurate Authorization example (says "Bearer <TENCENTCLOUD_SECRET_KEY>" while the scripts implement TC3-HMAC-SHA256). These mismatches suggest sloppy documentation; inspect the scripts before trusting them. - Practical recommendations: - Review the bundled Python scripts locally (they are included) before running them. They appear to only implement TC3 signing and SSE reading, but confirm there are no hidden endpoints or exfiltration code in the truncated sections. - Use a dedicated least-privilege TencentCloud subaccount (as the SKILL.md suggests) and prefer short-lived credentials if possible. - Do not blindly run the suggested echo >> commands; instead set env vars in the session or use a secure secrets manager. If you must persist credentials, use OS-provided secure storage (e.g., Windows Credential Manager, macOS Keychain) or protect dotfiles and your repo. - Run the scripts in an isolated environment (VM or container) until you validate behavior. - If you want higher assurance: ask the skill author for an explanation of the conflicting statements about key handling and for a signed/official release URL. If the author can't clarify, treat the conflicting guidance as a red flag and avoid using persistent credentials with this skill.