ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tencent Cloud Log Service

v0.1.0

Query and analyze Tencent Cloud CLS logs

0· 1.5k·0 current·0 all-time
by@dbwang0130
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (query/analyze Tencent CLS logs) matches the SKILL.md: it calls a CLI named clscli and requires Tencent Cloud API credentials. However the registry metadata at the top-level claims no required binaries or env vars while SKILL.md declares clscli and TENCENTCLOUD_SECRET_ID/KEY — that mismatch is incoherent and should be resolved.
Instruction Scope
SKILL.md instructions are focused on installing clscli, setting Tencent Cloud credentials, and running clscli commands to list topics, query logs, and get context. The instructions do not ask the agent to read unrelated files, search system state, or transmit data to unexpected external endpoints.
!
Install Mechanism
There is no packaged install spec in the registry; instead SKILL.md instructs users to 'brew tap dbwang0130/clscli' and install from that tap (a third‑party Homebrew tap). That introduces risk because binaries will come from a user tap (not clearly an official Tencent release). The homepage is a generic https://github.com/ link (not a specific repo), and source is 'unknown', which prevents verification of the installer.
Credentials
The only environment variables the skill needs (per SKILL.md) are TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY — appropriate for calling Tencent APIs. The inconsistency between the registry's declared 'none' and SKILL.md's env requirements is concerning because it hides the need for secrets in the registry metadata.
Persistence & Privilege
The skill is instruction-only with no code files and does not request always:true or other elevated persistent privileges. It does, however, instruct the user to install a binary which will persist on the system — that's normal for a CLI integration but increases local risk compared with a pure instruction skill.
What to consider before installing
Before installing or using this skill: 1) Verify the clscli binary source — find the official GitHub repo or release page and confirm the Homebrew tap (dbwang0130) is trustworthy. A generic homepage (https://github.com/) and 'source: unknown' are red flags. 2) Prefer installing from an official Tencent release or a well-reviewed package; avoid installing binaries from untrusted personal taps. 3) Only provide TENCENTCLOUD_SECRET_ID/KEY if you trust the clscli binary; consider using temporary, limited-scope credentials or a read-only account scoped to the CLS resources needed. 4) Inspect the clscli project's code/release artifacts (and its Homebrew formula) before running them. 5) If you must test quickly, run clscli in an isolated environment (container or VM) to limit potential impact. These steps will reduce risk and would increase confidence that the skill is safe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755kx1z7mzgq7gngdnyabj9h80jdpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments