Tencent Cloud Lighthouse
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tencentcloud-lighthouse-skill Version: 1.0.2 The skill bundle provides a legitimate interface for managing Tencent Cloud Lighthouse instances using the official 'tccli' command-line tool. It includes helper scripts for OAuth authentication (script/tccli-oauth-helper.sh) and instance identification (script/whoami.sh) that interact with standard Tencent Cloud endpoints and metadata services. The instructions in SKILL.md and the reference documents are well-structured, providing clear workflows for cloud management tasks while incorporating safety guidelines for high-risk operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong, stale, or unintended OAuth code could be accepted, causing future cloud operations to run under an unexpected Tencent Cloud session or account.
The helper detects an OAuth state mismatch but continues instead of aborting before exchanging the access token and writing cloud credentials.
echo "⚠️ 警告: state 不匹配" ... echo "可能是使用了旧的授权链接。继续尝试..."
Do not proceed on OAuth state mismatch. The helper should fail closed and require a fresh authorization URL/code pair before writing credentials.
A user may unknowingly paste sensitive Tencent Cloud login tokens into the agent/chat context, where they may be retained or exposed beyond the local credential file.
The helper tells the user they may send the base64 login code to the AI assistant, but the script shows that this code contains OAuth token material.
echo "或发送给 AI 助手,让它帮你完成登录。" ... access_token=$(echo "$token_json" | jq -r '.accessToken // empty') ... refresh_token=$(echo "$token_json" | jq -r '.refreshToken // empty')
Treat the browser-returned OAuth code as sensitive. Prefer pasting it only into a local command, and update the skill wording to clearly warn that the code contains credential material.
Remote commands can change, expose, or disrupt the target server if the wrong command or instance is selected.
The skill documents remote command execution on Lighthouse instances through Tencent Automation Tools.
tccli tat RunCommand --region ap-guangzhou ... --Content "uptime && df -h && free -m"
Confirm the target instance, region, and exact command before using TAT, and keep the skill's single-confirmation rule for remote commands.
The behavior depends on whichever tccli package version pip installs at the time, which may change over time.
The skill relies on installing the tccli package from pip without a pinned version.
If not installed: `pip install tccli`
Install tccli from the official Tencent Cloud source and consider pinning or verifying the package version in controlled environments.