Tencent Cloud Lighthouse
v1.0.0Manage Tencent Cloud Lighthouse (轻量应用服务器) — auto-setup mcporter + MCP, query instances, monitoring & alerting, self-diagnostics, firewall, snapshots, remote...
⭐ 0· 91·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill manages Tencent Cloud Lighthouse using mcporter and a lighthouse MCP server. Installing the mcporter package and asking for Tencent Cloud SecretId/SecretKey are coherent with the described functionality.
Instruction Scope
SKILL.md explicitly instructs the agent to ask the user for SecretId/SecretKey and to run scripts/setup.sh which installs mcporter (if needed), writes ~/.mcporter/mcporter.json with the provided credentials, and starts/uses a lighthouse MCP server. These steps are within scope, but the doc tells the user to supply secrets directly and the setup script accepts them as command-line args (visible in process listings) and writes them in plaintext to a config file — security-sensitive practices that the user should be aware of.
Install Mechanism
The declared install is an npm 'mcporter' package and the setup script itself runs 'npm install -g mcporter' and uses 'npx lighthouse-mcp-server'. Installing npm packages / using npx is standard for this workflow but carries the usual risks of pulling code from the public npm registry and will create global binaries (may require elevated privileges). No downloads from arbitrary URLs or obscure hosts were found.
Credentials
The skill does not declare required environment variables in registry metadata, yet the runtime instructions and setup script require/ask for Tencent Cloud SecretId and SecretKey. The keys are necessary for the skill's purpose, but the metadata omission is an inconsistency. The script persists the keys to ~/.mcporter/mcporter.json (plaintext), which is expected for operation but is sensitive.
Persistence & Privilege
The skill does not request system-wide privileges beyond installing an npm package and writing a config file under the user's HOME. always:false (no forced inclusion). It does not modify other skills or global agent settings beyond creating ~/.mcporter and installing mcporter.
Assessment
This skill appears to do what it says, but it requires and stores your Tencent Cloud SecretId/SecretKey. Consider the following before installing or using it:
- Avoid pasting long-lived production keys into chat/history. If you must provide keys, create an API key with minimal privileges and limited lifetime, then revoke it when done.
- The setup script accepts secrets as command-line args (e.g., --secret-key), which can be visible to other local users via process listings. Prefer supplying secrets via more secure means if possible.
- The script writes credentials in plaintext to ~/.mcporter/mcporter.json so protect that file (restrict filesystem permissions) or rotate/delete keys after use.
- The skill installs npm packages (npm install -g mcporter and uses npx to fetch lighthouse-mcp-server). Installing packages from the public npm registry has supply-chain risk — review the packages' provenance before trusting them.
- If you are uncomfortable, run setup.sh locally in a controlled environment (not via a hosted agent), inspect the resulting ~/.mcporter/mcporter.json, and use scoped/temporary credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971f576csty7drvq0qpby9xc183cwb4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
Install
Install mcporter (MCP CLI)
Bins: mcporter
npm i -g mcporter