Huaweicloud
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for Huawei Cloud architecture and Terraform generation, but users should handle cloud credentials and generated infrastructure templates carefully.
This skill is reasonable for planning Huawei Cloud deployments, but treat its output as infrastructure code: review the Terraform, estimate costs independently for important projects, use limited cloud credentials, and do not run apply or install from an unverified repository without checking the files first.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Applying generated Terraform could create chargeable Huawei Cloud resources or expose services to the internet.
The skill is designed to produce executable infrastructure-as-code, and it says to wait for user confirmation before delivering final files. This is purpose-aligned but high impact if the user later applies the templates.
生成可执行的 Terraform 模板 ... 确认后再交付最终文件
Review every generated .tf file, run terraform plan first, use a test project when possible, and avoid automatic apply without explicit approval.
Broad cloud access keys could allow expensive or sensitive account actions if exposed to the wrong tool or environment.
The skill documentation asks for Huawei Cloud access keys for pricing, while the registry metadata declares no required credentials. The included code does not show credential exfiltration, but cloud AK/SK values are sensitive.
环境变量 `HWC_ACCESS_KEY` 和 `HWC_SECRET_KEY` 已配置
Use least-privilege IAM credentials, avoid pasting secrets into chat, configure credentials only when actually needed, and clarify the credential requirements in metadata.
If a user installs from the repository directly, future repository changes could differ from the reviewed artifact set.
The README provides a manual install command from an external GitHub repository without a pinned commit, while the registry source is listed as unknown.
git clone https://github.com/jiachenz/huaweicloud-skill.git ~/.openclaw/skills/huaweicloud
Install from a trusted source or pinned commit, and inspect the files before use.
Running the script can read the chosen JSON file and overwrite the chosen Markdown output file.
The skill documents running a local Python pricing script with user-provided input and output paths. The included script is a straightforward local cost estimator and does not show network calls, but it can read and write files selected by the command.
python scripts/hwc-pricing.py --input resources.json --output cost.md
Run the script only on intended files, avoid protected or sensitive output paths, and review the script before execution.