Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tencent Cloud Lighthouse
v1.0.0Manage Tencent Cloud Lighthouse (轻量应用服务器) — auto-setup mcporter + MCP, query instances, monitoring & alerting, self-diagnostics, firewall, snapshots, remote command execution (TAT). Use when user asks about Lighthouse or 轻量应用服务器. NOT for CVM or other cloud server types.
⭐ 1· 7.5k·216 current·226 all-time
by@lhanyun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to manage Tencent Cloud Lighthouse and legitimately needs Tencent Cloud API keys; however the registry metadata declares no required credentials or primary credential. That mismatch is incoherent (the skill will prompt for SecretId/SecretKey at runtime but does not declare them).
Instruction Scope
SKILL.md instructions stay within the stated purpose (install mcporter, configure a lighthouse MCP server, call lighthouse endpoints). They explicitly instruct the user to provide Tencent Cloud SecretId/SecretKey and to write those into ~/.mcporter/mcporter.json. This is expected for cloud management, but it directly requests sensitive credentials and stores them on disk — users should know and consent to that.
Install Mechanism
Install uses npm: declared install of node package 'mcporter' and the setup script runs 'npm install -g mcporter' and config points to running 'npx -y lighthouse-mcp-server'. Dynamic npx usage will pull and execute code from the npm registry at runtime — a moderate risk if those packages are not audited or trusted.
Credentials
The skill requires two sensitive credentials (TENCENTCLOUD SecretId and SecretKey) in practice, but these are not declared in requires.env/primaryEnv. Requesting full API keys is proportionate to the task, yet the missing manifest declaration and lack of guidance about least-privilege keys are shortcomings.
Persistence & Privilege
always:false and the script only writes to a per-user config (~/.mcporter/mcporter.json) and may install a global npm binary. It does not request system-wide persistent privileges or modify other skills; autonomy is default and not additionally privileged.
What to consider before installing
This skill does what it says (manages Tencent Cloud Lighthouse) but you should be cautious before installing/using it. Specific points to consider:
- The skill will ask you to paste your Tencent Cloud SecretId and SecretKey and will store them in ~/.mcporter/mcporter.json. Only provide keys you trust the environment with, and prefer keys with the minimum permissions needed (least privilege) or temporary/limited credentials.
- The setup script will install mcporter via npm and will run the MCP server with 'npx lighthouse-mcp-server', which downloads/executes code from the npm registry at runtime. Review the mcporter and lighthouse-mcp-server packages (their npm/github pages and maintainers) before trusting them.
- The skill metadata did not declare the required credentials; treat that omission as a red flag—ask the publisher why the manifest omits credentials and whether secrets can be provided via a safer mechanism (secrets manager, ephemeral token, or role-based access).
- Ensure the config file (~/.mcporter/mcporter.json) is stored with appropriate file permissions and consider rotating/revoking keys after use if you are uncertain about trust.
If you cannot verify the npm packages or are uncomfortable providing API keys, do not install or run the setup script.Like a lobster shell, security has layers — review code before you run it.
latestvk97f89d7phsg9znr92wm9kjffh80zhqk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
Install
Install mcporter (MCP CLI)
Bins: mcporter
npm i -g mcporter