ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huaweicloud

v0.1.1

华为云架构设计与资源开通。当用户需要设计云架构、推荐华为云服务配置、估算成本、或生成 Terraform 模板时使用此 skill。触发场景:(1) 描述业务需求寻求架构建议,(2) 需要华为云资源配置清单,(3) 需要成本预估,(4) 需要生成 Terraform 模板。

2· 452·0 current·0 all-time
by@jiachenz
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and included Terraform templates align with its stated purpose (architecture design, resource lists, Terraform output). However the runtime instructions claim the cost calculator requires HWC_ACCESS_KEY/HWC_SECRET_KEY while the skill metadata declares no required env vars; provider comments in templates reference different variable names (HW_ACCESS_KEY/HW_SECRET_KEY). This mismatch between declared requirements and the instructions is incoherent and unexplained.
!
Instruction Scope
SKILL.md instructs the agent to run scripts/hwc-pricing.py to compute costs and to generate Terraform files from repository templates. It explicitly asks for environment variables (HWC_ACCESS_KEY/HWC_SECRET_KEY) as a precondition for pricing, but the included Python script does not actually call any external API or read those env vars (it uses an internal PRICE_TABLE). That inconsistency could confuse users and may indicate the script or instructions were changed without updating the other.
Install Mechanism
No install spec is provided; this is an instruction-and-file-only skill. No archive downloads or external installers are invoked, so there is low installation risk from arbitrary remote code fetches. Files in the repo are plain-text templates and one Python script.
!
Credentials
The SKILL.md requests HWC_ACCESS_KEY and HWC_SECRET_KEY for pricing, but the skill's declared requirements list no env vars and the Python script does not use those variables. Provider comments in templates reference yet another naming convention (HW_ACCESS_KEY / HW_SECRET_KEY). Asking for cloud AK/SK is a high-sensitivity request that should be justified and declared explicitly — the current mismatch is disproportionate and confusing.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and does not modify other skills. It would run only when invoked. Generated Terraform files and cost reports are expected outputs and do not in themselves increase runtime privilege.
What to consider before installing
What to consider before installing: - Inconsistency: SKILL.md says the cost script needs HWC_ACCESS_KEY / HWC_SECRET_KEY, but the skill's metadata does not declare any required env vars and the included scripts/hwc-pricing.py does not read or use those env vars (it uses a built-in PRICE_TABLE). Provider comments in Terraform templates reference yet another name (HW_ACCESS_KEY / HW_SECRET_KEY). This is a red flag: do not export your cloud AK/SK to the skill until you verify why they are needed. - Verify behavior locally: If you need cost estimates, run scripts/hwc-pricing.py locally against a sample resources.json first (the script currently uses static prices and does not call external APIs). That lets you confirm whether it needs credentials and whether it will call external endpoints. - Least privilege: If the skill genuinely needs AK/SK for BSS API calls, create and supply credentials with minimal scope (read-only billing/pricing) and prefer short-lived or limited-scope keys. Never supply root or admin keys. - Review outputs: The generated Terraform templates and outputs include connection strings and resource IDs (private IPs, hostnames). Be careful about sharing generated files; they can reveal internal network details. - If you need certainty: Ask the author (or inspect runtime code) whether any component will call the Huawei BSS pricing API or other network endpoints. The current repo shows only local calculation; if future versions add API calls, credential use could change. Given these mismatches I recommend caution (do not provide cloud credentials) until the credential requirements are clarified and the script's network behavior is confirmed.

Like a lobster shell, security has layers — review code before you run it.

huawei cloudvk978bmqest28w6m93e458439mh81rc2xhuaweil cloudvk975d7ycbsz3cf7cpewg8vyz8x81rn3platestvk978bmqest28w6m93e458439mh81rc2x
452downloads
2stars
2versions
Updated 7h ago
v0.1.1
MIT-0
@jiachenz
huawei cloudhuaweil cloudlatest
Download

华为云架构设计与资源开通

帮助用户从业务需求出发,设计华为云架构、推荐资源配置、估算成本,并生成可执行的 Terraform 模板。

工作流程

用户描述业务需求
       ↓
[1. 需求分析] 提取关键要素
       ↓
[2. 架构推荐] 匹配合适的架构模式
       ↓
[3. 资源清单] 生成详细配置
       ↓
[4. 成本预估] 调用价格计算
       ↓
[5. 生成模板] 输出 Terraform 代码
       ↓
[6. 用户确认] 等待确认后交付

1. 需求分析

从用户描述中提取关键要素:

要素说明示例
业务类型Web应用/微服务/大数据/AI电商网站、数据分析平台
规模用户量/数据量/QPS日活10万、数据1TB
可用性是否需要高可用单可用区/多可用区
安全合规等保/数据加密等保三级
预算成本约束月预算5000元

输出: 结构化的需求摘要

2. 架构推荐

根据需求匹配架构模式,参考 references/architectures.md

常见架构模式:

  • Web 应用架构(ECS + RDS + OBS + ELB)
  • 微服务架构(CCE + RDS + Redis + ELB)
  • 大数据架构(MRS + OBS + DWS)
  • AI/ML 架构(ModelArts + OBS + RDS)

输出: 推荐的架构方案 + 架构图描述

3. 资源清单

根据架构方案,生成详细的资源配置,参考 references/services.md

清单格式:

## 资源配置清单

### 计算资源
| 资源类型 | 规格 | 数量 | 用途 |
|---------|------|------|------|
| ECS | c6.xlarge.4 | 2 | Web服务器 |

### 存储资源
| 资源类型 | 规格 | 容量 | 用途 |
|---------|------|------|------|
| OBS | 标准存储 | 500GB | 静态资源 |

### 网络资源
| 资源类型 | 规格 | 数量 | 用途 |
|---------|------|------|------|
| VPC | /16 | 1 | 主网络 |
| ELB | 共享型 | 1 | 负载均衡 |

### 数据库
| 资源类型 | 规格 | 版本 | 用途 |
|---------|------|------|------|
| RDS MySQL | rds.mysql.c6.large.2 | 8.0 | 主数据库 |

4. 成本预估

使用 scripts/hwc-pricing.py 计算月度成本。

前提条件:

  • 环境变量 HWC_ACCESS_KEYHWC_SECRET_KEY 已配置

输出格式:

## 成本预估(月度)

| 资源 | 单价 | 数量 | 月费用 |
|------|------|------|--------|
| ECS c6.xlarge.4 | ¥800 | 2 | ¥1,600 |
| RDS MySQL | ¥1,200 | 1 | ¥1,200 |
| ... | ... | ... | ... |
| **合计** | | | **¥3,500** |

*价格仅供参考,以实际账单为准*

5. 生成 Terraform 模板

根据资源清单生成 Terraform 代码,参考 references/terraform-providers.mdassets/terraform/ 模板。

输出文件:

  • main.tf - 主配置(provider、变量)
  • vpc.tf - 网络配置
  • compute.tf - 计算资源
  • database.tf - 数据库资源
  • storage.tf - 存储资源
  • outputs.tf - 输出变量

6. 用户确认

展示完整方案供用户确认:

  1. 架构方案
  2. 资源清单
  3. 成本预估
  4. Terraform 代码(或文件)

确认后再交付最终文件。

参考文档

按需加载以下文档:

  • 产品目录references/services.md — 华为云产品规格与适用场景
  • 架构模式references/architectures.md — 常见架构模式与最佳实践
  • Terraformreferences/terraform-providers.md — 华为云 Provider 使用指南
  • 价格 APIreferences/pricing-api.md — 价格计算接口文档

注意事项

  • AK/SK 安全:不在模板中硬编码凭证,使用环境变量或 Terraform 变量
  • 成本提示:始终提醒用户价格仅供参考
  • 合规检查:涉及等保、数据安全时提醒用户确认合规要求
  • 模板验证:建议用户在执行前使用 terraform plan 验证

Comments

Loading comments...