ClawHub

hwc-cli-guidance

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Huawei Cloud CLI guide with expected but sensitive cloud-admin examples and no hidden execution or deceptive behavior.

Install only if you intend to use Huawei Cloud KooCLI. Treat Huawei Cloud AK/SK credentials as secrets, prefer least-privilege or temporary credentials where possible, verify downloaded CLI binaries from official Huawei sources before system-wide installation, and test delete, restart, and bulk-upload examples in a scoped non-production environment first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to generate and download cloud access keys, but it does not warn that these credentials are highly sensitive, long-lived secrets that must not be exposed, committed to source control, or stored insecurely. In an installation guide for a cloud CLI, omission of secret-handling guidance materially increases the risk of credential leakage and subsequent account compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to create and enter long-lived Access Key and Secret Access Key credentials, but it does not warn against exposing them in terminal history, scripts, shared profiles, screenshots, or logs. In a cloud administration context, leaked AK/SK credentials can enable unauthorized access to cloud resources and data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation instructions download binaries from the internet and move them into a system path with sudo, but they do not tell users to verify checksums, signatures, or publisher authenticity first. If the download source, network path, or artifact were tampered with, users could install malicious code with elevated trust.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation includes destructive operations such as deleting objects without warning that these actions may be irreversible or impact production data. In a cloud operations guide, omission of safety warnings increases the risk of accidental data loss or service disruption by users copying commands directly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The bulk upload example enumerates local files and uploads them to cloud storage, but it provides no warning about handling sensitive, regulated, or private data. Users may unintentionally transfer confidential files, secrets, or personal data to a bucket with improper retention or access controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal