Tencent Cloud Lighthouse

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it asks for powerful Tencent Cloud credentials and stores them locally for an unpinned external MCP server that can run commands and change firewalls.

Review before installing. Use a dedicated least-privileged Tencent CAM key limited to the Lighthouse actions you need, avoid root or account-wide credentials, verify the mcporter and lighthouse-mcp-server packages before use, confirm every firewall or remote-command action, and delete or rotate the stored key when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script persists Tencent Cloud SecretId and SecretKey directly into a JSON config file under the user's home directory, and does so by default without warning, permission hardening, or use of a secure secret store. This increases the chance of credential disclosure through local file reads, backups, shell history/workstation compromise, or overly permissive file permissions, which is especially risky because these are cloud API credentials for infrastructure management.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal