ClawHub

Tencent Cloud Lighthouse

Security checks across malware telemetry and agentic risk

Overview

This is a real Tencent Cloud Lighthouse management skill, but it handles powerful cloud credentials and includes unsafe guidance users should review before installing.

Install only if you intend to let an agent administer Tencent Cloud Lighthouse resources. Use it on a trusted machine, keep OAuth codes and tokens out of chat, check ~/.tccli credential permissions, and explicitly confirm region, instance ID, cost, firewall CIDR, snapshot or blueprint IDs, and remote command contents before any modifying action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill manifest is scoped to Lighthouse operations, but this script implements generic tccli OAuth credential acquisition usable beyond Lighthouse. That scope expansion increases privilege and attack surface because it provisions broadly reusable cloud credentials instead of limiting behavior to the stated product-specific tasks.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The script exchanges an OAuth access token for temporary Tencent Cloud API credentials and stores them for reuse, which materially exceeds a simple Lighthouse task helper. Reusable API credentials can be abused for broader cloud actions if exposed or if the surrounding agent later invokes non-Lighthouse operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as 'deploy app', 'instance ID', and especially 'whoami', which can match many unrelated requests and cause this skill to load outside the intended Lighthouse context. Because the skill supports shell commands, cloud authentication, and remote command execution, accidental over-triggering increases the chance of exposing credentials, running the wrong operational workflow, or performing actions in an unintended context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly create a firewall rule exposing the application port to 0.0.0.0/0 without any warning about restricting source IPs, validating necessity, or considering whether the service is hardened and intended to be public. In a deployment skill that may be followed mechanically, this increases the chance of unintentionally exposing unfinished apps, admin panels, or vulnerable services to the internet.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to create a NEW Lighthouse instance by default when the user says "create / deploy / set up" is overly broad and can trigger provisioning for ambiguous requests. In a cloud-management skill, unintended resource creation can cause unexpected cost, configuration drift, and accidental deployment into the wrong account, region, or plan.

Missing User Warnings

High
Confidence
95% confidence
Finding
The password reset example provides a direct reset command without an explicit warning or confirmation step, even though it changes credentials and can restart the instance. In an infrastructure skill, this is dangerous because it can lock out legitimate operators, interrupt running workloads, and cause immediate administrative impact if executed on the wrong instance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation instructs users how to execute arbitrary remote shell commands on Lighthouse instances, including commands that expose system, network, service, and disk information, but it does not include any warning about operational impact, privilege scope, or sensitive data exposure in command output. In a skill intended to help manage production-like cloud instances, omission of these safeguards can lead users to run invasive or destructive commands without informed consent or proper authorization checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The snapshot deletion example provides a destructive command without any adjacent warning to confirm user intent, explain irreversibility, or encourage verification of the target snapshot ID. In a Lighthouse management skill, users may copy and run commands directly, so omission of safety guidance increases the risk of accidental deletion of backup data and loss of recovery options.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The custom blueprint deletion example omits a warning that deleting a blueprint permanently removes an image artifact that may be needed for future instance creation or recovery workflows. Because this skill is specifically for infrastructure administration, users are likely to treat the snippet as approved operational guidance, making accidental irreversible deletion more plausible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes sensitive material including SecretId, SecretKey, session token, accessToken, and refreshToken to a local file without setting restrictive permissions or clearly warning the user. On multi-user systems or misconfigured environments, those secrets may be read by other processes or users and then used to access cloud resources.

Ssd 3

High
Confidence
99% confidence
Finding
The script explicitly tells users they can send the OAuth verification code to an AI assistant, encouraging disclosure of sensitive authentication material to a third-party natural-language system. Because the code decodes into access-token-bearing JSON, sharing it can expose login state and enable credential exchange or account access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal