ClawHub

Huaweicloud

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Huawei Cloud planning and Terraform-template skill, but users should review generated infrastructure and handle cloud credentials carefully.

Before installing or using it, verify the GitHub source, review every generated Terraform file, run terraform fmt/validate/plan before any apply, use least-privilege Huawei Cloud credentials, and do not paste, commit, or log AK/SK values or Terraform variables containing passwords.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
81% confidence
Finding
The README advertises Terraform template generation but does not warn users that the generated output is executable infrastructure-as-code that can create, modify, or destroy cloud resources if applied. In a cloud-provisioning skill, this omission increases the chance of unsafe trust in generated templates, leading to unintended spend, exposure, or deployment of insecure infrastructure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation instructs users to export long-lived HWC_ACCESS_KEY and HWC_SECRET_KEY and run a script that queries Huawei Cloud pricing APIs, but it does not warn that these credentials are sensitive account-scoped secrets or that resource metadata will be transmitted to an external cloud endpoint. In a skill that may be used by an agent, this can normalize unsafe secret handling and cause accidental disclosure or misuse of cloud credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide includes examples for setting AK/SK secrets via environment variables and a local config file, but provides almost no operational security guidance beyond 'do not hardcode' in provider config. In a cloud-provisioning skill, this can normalize weak secret handling practices, leading users to leave long-lived credentials in shell history, shared files, or poorly protected home directories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal