Tencent Cloud Lighthouse
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly consistent with managing Tencent Cloud Lighthouse, but its OAuth helper handles powerful cloud credentials in ways that deserve review before use.
Install only if you are comfortable giving the skill Tencent Cloud authority to manage Lighthouse resources. Use OAuth rather than permanent AK/SK keys, treat the browser login code as sensitive, do not continue if the OAuth state does not match, and carefully confirm any action that creates resources, changes firewalls, restores snapshots, resets passwords, or runs commands on an instance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong, stale, or unintended OAuth code could be accepted, causing future cloud operations to run under an unexpected Tencent Cloud session or account.
The helper detects an OAuth state mismatch but continues instead of aborting before exchanging the access token and writing cloud credentials.
echo "⚠️ 警告: state 不匹配" ... echo "可能是使用了旧的授权链接。继续尝试..."
Do not proceed on OAuth state mismatch. The helper should fail closed and require a fresh authorization URL/code pair before writing credentials.
A user may unknowingly paste sensitive Tencent Cloud login tokens into the agent/chat context, where they may be retained or exposed beyond the local credential file.
The helper tells the user they may send the base64 login code to the AI assistant, but the script shows that this code contains OAuth token material.
echo "或发送给 AI 助手,让它帮你完成登录。" ... access_token=$(echo "$token_json" | jq -r '.accessToken // empty') ... refresh_token=$(echo "$token_json" | jq -r '.refreshToken // empty')
Treat the browser-returned OAuth code as sensitive. Prefer pasting it only into a local command, and update the skill wording to clearly warn that the code contains credential material.
Remote commands can change, expose, or disrupt the target server if the wrong command or instance is selected.
The skill documents remote command execution on Lighthouse instances through Tencent Automation Tools.
tccli tat RunCommand --region ap-guangzhou ... --Content "uptime && df -h && free -m"
Confirm the target instance, region, and exact command before using TAT, and keep the skill's single-confirmation rule for remote commands.
The behavior depends on whichever tccli package version pip installs at the time, which may change over time.
The skill relies on installing the tccli package from pip without a pinned version.
If not installed: `pip install tccli`
Install tccli from the official Tencent Cloud source and consider pinning or verifying the package version in controlled environments.