Back to skill
Skillv1.0.0
ClawScan security
腾讯云LKE智能体对话 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 12:07 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-and-example client for Tencent Cloud LKE HTTP SSE chat and the included docs and script match the described purpose with no disproportionate or hidden requirements.
- Guidance
- This skill appears coherent and implements a Tencent LKE SSE chat client. Before installing or running: verify you trust the skill source (source/homepage are unknown), keep your AppKey secret (avoid passing it on the command line where other local users can see it), and consider reviewing the included script yourself. If you plan to run this on shared infrastructure, modify the script to read the AppKey from a secure environment variable or prompt rather than a visible CLI argument. If you need stronger assurance, request the publisher's origin or compare the endpoint/behavior against official Tencent Cloud docs.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, reference docs, and the provided Python script all describe the same HTTP SSE chat client for Tencent LKE and require only an AppKey and request parameters; there are no unrelated credentials, binaries, or capabilities requested.
- Instruction Scope
- okSKILL.md and the example code limit themselves to constructing POST requests to the Tencent SSE endpoint and parsing SSE responses. The instructions do not ask the agent to read unrelated files, system credentials, or external endpoints beyond the documented Tencent host. One note: the AppKey is passed as a CLI argument in the sample script, which is sensitive and may be exposed via process listings—handle secrets carefully.
- Install Mechanism
- okThere is no install spec and the skill is instruction-only with an example script. The included requirements note recommends installing requests or the Tencent SDK via pip (standard, expected). No remote downloads or archive extraction are present.
- Credentials
- okThe skill declares no required environment variables or config paths. The only secret needed in practice is the Tencent AppKey (passed as a CLI argument in the example). This is proportional to the stated purpose, but the user should avoid exposing the AppKey in process arguments or logs.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It runs on demand and requires no persistent elevated privileges.