ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

txcloud-diagnostics

v1.0.0

用于腾讯云云产品异常诊断。当用户反馈腾讯云相关的任何异常、产品/实例不可用等情况时,根据反馈的实例和异常信息,自动拉取监控等数据进行分析诊断,输出原因和建议。

0· 72·0 current·0 all-time
bycareyzhang@crueluncle
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and scripts clearly depend on the tccli CLI and on the ability to call Tencent Cloud TAT APIs, but the skill metadata declares no required binaries or credentials. A diagnostic skill legitimately needs tccli and valid Tencent Cloud credentials; those should be declared. The omission is an incoherence between claimed requirements and actual capabilities.
!
Instruction Scope
Runtime instructions direct the agent to run prefetch.py / diagnose.py and to start a background tccli_auth_daemon that writes/reads files under /tmp and interacts with an interactive tccli auth flow. The SKILL.md explicitly instructs suppressing intermediate output and to ask the user to paste a base64-style auth code which will be written verbatim to /tmp and fed into the tccli process. The skill also permits performing OS-level diagnostics via TAT (remote command execution). Although the SKILL.md prescribes a whitelist of 'read-only' commands, this is enforced by instructions, not by the code: exec_tat accepts arbitrary commands and will submit whatever the caller passes to TAT.
Install Mechanism
No install spec is present (instruction + scripts only), so nothing is downloaded or auto-installed by the registry package. That lowers supply-chain risk compared to remote downloads or package installs.
!
Credentials
The skill requests no declared credentials/env vars, yet it requires valid Tencent Cloud credentials (obtained via tccli auth) and relies on tccli being present on PATH. It also writes user-supplied auth tokens into /tmp files and runs a background auth daemon. The ability to run TAT remote commands implies the skill will use credentials with permissions to execute commands on instances — this level of access should be declared and minimized.
Persistence & Privilege
always:false (good). The skill suggests launching a background tccli_auth_daemon (nohup) for up to 10 minutes and writes logs to /tmp; it does not request permanent installation or modify other skills. However, because the agent can invoke the skill autonomously and the scripts can call TAT to run commands on instances, there's an elevated operational risk if invoked without strict human review.
What to consider before installing
Key things to consider before installing: - The package did not declare required binaries or credentials, but the scripts require the tccli CLI and valid Tencent Cloud credentials (used to call monitor, tat, and other APIs). Make sure tccli is installed and be aware this skill will prompt you to authenticate. - The auth flow starts a background daemon that writes/reads files under /tmp and asks the user to paste the interactive auth code; that code will be written verbatim to /tmp and submitted to tccli. Only proceed if you trust the skill and are comfortable running such a flow locally. - The skill can perform TAT remote execution on your instances. Although the documentation lists a read-only command whitelist, the code will accept and forward arbitrary commands provided at runtime — this is a powerful capability. Only run this skill with credentials scoped to read-only/diagnostic operations, or require manual review before executing any TAT command. - The SKILL.md instructs the agent to suppress intermediate errors and internal tccli output; this can hide failures or unexpected behavior. Prefer to run the scripts manually first to observe outputs and logs (/tmp/tccli_daemon.log, /tmp/tccli_auth_link.txt) before enabling automated/agent invocation. Recommended actions: 1. Do not enable autonomous invocation unless you trust the skill fully. Limit to user-invoked only. 2. Inspect and run the scripts in a safe/test account or sandbox before using on production credentials or instances. 3. Restrict credentials used by this skill (least privilege): monitoring + describe permissions, and avoid granting broad TAT/instance-control permissions unless necessary. 4. Ask the author to update metadata to declare tccli as a required binary and to document required IAM scopes; request code changes to enforce a command whitelist for TAT at runtime rather than relying solely on documentation. If you want, I can produce a concise checklist or suggested minimal IAM policy that would be appropriate for safely running this diagnostic skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mjyqer1v9fp684351xnsqs83x9z5
72downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
careyzhang@crueluncle
latest
Download

腾讯云云产品诊断

⚠️ 所有脚本在 skill 目录下执行:先 cd skills/txcloud-diagnostics/

诊断流程

Step 1: 预获取

  1. 从对话提取产品类型、实例 ID、地域、问题现象、问题时间段(地域和问题时间段缺失必须追问,不得猜测)
  2. 通过实例 ID 前缀识别产品(见下方 ID 前缀表),再查产品路由表必须先 read 对应 profile 文件,从中获取 namespace、dimension-key、核心指标。禁止凭记忆填写 namespace/dimension-key,必须从 profile 文件中读取
  3. 跨产品场景(如"A 访问 B 超时/报错"):优先诊断被访问方 B,诊断完 B 后若未找到原因再诊断 A。一次只诊断一个产品
  4. 结合 profile 指标决策表 + 用户问题现象,预选 3~8 个诊断指标
  5. 执行:
python3 scripts/prefetch.py --instance-id <id> --product <product> \
  --region <region> --namespace <namespace> --dimension-key <dim-key>
  • status: "ok" → 进 Step 2
  • status: "auth_failed" → 执行凭证授权(见下方),成功后重试
  • status: "error" → 根据 message 提示用户

Step 2: 执行诊断

python3 scripts/diagnose.py \
  --instance-id <id> --region <region> \
  --namespace <namespace> --dimension-key <dim-key> \
  --metrics '<指标1,指标2,...>' \
  --problem-start '<ISO8601+08:00>' --problem-end '<ISO8601+08:00>'

可选:--pad-before/--pad-after(默认15分钟),--extra-dims(CCN 等多维度产品必传)。

时间处理:用户说的时间默认为 北京时间(UTC+8),直接用 +08:00 后缀。例:用户说"19点左右" → --problem-start '2026-03-28T18:30:00+08:00' --problem-end '2026-03-28T19:30:00+08:00'不要做 UTC 转换

指标选择优先用 profile 决策表,通用匹配:慢→latency、错误→error/fail、流量→traffic/bandwidth、连接→conn。

输出规范全流程禁止输出中间思考/排查过程。用户只看到以下内容:

  • 需要授权时:只输出授权链接 + "请点击登录授权并回复验证码",不要解释为什么需要授权、不要暴露 tccli 报错信息
  • 诊断进行中:不输出任何内容(静默执行),不要说"让我先..."、"正在读取..."、"prefetch 成功"等
  • 诊断完成后:只输出最终报告,格式如下:
📋 诊断结论:<一句话结论>

| 实例 | 指标1 | 指标2 | ... | 状态 |
|------|-------|-------|-----|------|
| xxx  | 数据  | 数据  | ... | ✅/❌ |

建议:
1. <具体可执行动作>
2. <具体可执行动作>

禁止:输出思考过程、暴露 tccli/脚本报错细节、重复展示同一数据、编造未查证的信息

诊断失败自纠

当 diagnose.py 返回失败(API错误或数据为空)时,不要直接报错放弃,按以下顺序自主尝试(总耗时不超过 10 分钟,超时如实告知用户当前进展和失败原因):

  1. namespace 不对 → 用 tccli 查实际可用的 namespace:

    tccli monitor DescribeBaseMetrics --cli-unfold-argument --region <region> --Namespace <当前namespace> --output json

    如果返回 0 个指标,换同产品的其他已知 namespace 重试(如 TDSQL-C:QCE/CYNOSDB_MYSQLQCE/TDMYSQL

  2. 实例 ID 格式不对 → 用户给的可能是集群 ID 而非实例 ID,通过产品 API 查询实际实例:

    tccli cynosdb DescribeClusterInstanceGrps --region <region> --ClusterId <集群ID> --output json

    从返回的 InstanceSet 中取 InstanceId(如 cynosdbmysql-ins-xxx

  3. dimension-key 不对 → 从 DescribeBaseMetrics 返回的 MetricSet[0].Dimensions 中确认实际维度名

  4. 指标名不对 → 从 DescribeBaseMetrics 返回的 MetricSet 中确认实际可用的指标名(注意大小写)

  5. 数据为空但无报错 → 该时间段确实没有监控数据(实例空闲/新建/已停机),如实告知用户

凭证授权

当 prefetch.py 返回 auth_failed 时执行:

nohup python3 -u scripts/tccli_auth_daemon.py > /tmp/tccli_daemon.log 2>&1 &
sleep 5 && cat /tmp/tccli_daemon.log && cat /tmp/tccli_auth_link.txt

提取链接生成超链接发给用户一键点击登录。提示用户回传验证码(一段 eyJ... 开头的 base64 长字符串) 授权环节只对用户输出:授权链接 + "请点击登录并回复验证码"。不要输出 auth_failed 原因、tccli 配置状态、credential 为空等内部信息。 将用户回复的base64 长字符串内容完整写入 /tmp/tccli_auth_input_code.txt

echo '<用户回复的验证码>' > /tmp/tccli_auth_input_code.txt
sleep 5 && cat /tmp/tccli_daemon.log

日志出现 AUTH_SUCCESS 即成功,重新执行 Step 1。

产品路由表

产品关键字Profile
cvm、云服务器、lighthouse、轻量应用、cdhscripts/product_profiles/compute.md
tke、容器、tcrscripts/product_profiles/container.md
scf、云函数、tcb、云开发scripts/product_profiles/serverless.md
ckafka、kafka、tdmq、rabbitmq、cmq、rocketmq、pulsarscripts/product_profiles/mq.md
apigateway、api网关、tse、tsfscripts/product_profiles/microservice.md
cbs、cos、cfs、chdfs、goosefs、cls、日志、ciscripts/product_profiles/storage.md
clb、负载均衡、nat、vpn、dc、专线、ccn、云联网scripts/product_profiles/network.md
cdb、mysql、cynosdb、tdsql、mariadb、dcdb、postgres、sqlserver、mongodb、redis、memcached、keewidbscripts/product_profiles/database.md
es、elasticsearch、emr、oceanus、dlc、cdwscripts/product_profiles/bigdata.md
cdn、ecdn、gaap、edgeone、ecmscripts/product_profiles/cdn.md
live、直播、vod、waf、cfw、ddosscripts/product_profiles/media_security.md

实例 ID 前缀速查

前缀产品product 参数
ins-CVMcvm
lhins-Lighthouselighthouse
cdb-CDB MySQLcdb
cynosdbmysql-TDSQL-C MySQLtdsql-c
tdsql- / tdsqlshard-TDSQL / DCDBtdsql
postgres-PostgreSQLpostgres
mssql-SQL Serversqlserver
crs-Redisredis
cmgo-MongoDBmongodb
keewidb-KeeWiDBkeewidb
lb-CLBclb
ckafka-CKafkackafka
es-Elasticsearches
emr-EMRemr

其它实例id搜索参考 腾讯云官网

tccli 注意事项

  • 参数格式tccli <service> <Action> --cli-unfold-argument --ParamName value(注意 --cli-unfold-argument
  • 管道解析 JSON 不稳定:优先用 > /tmp/xxx.json 保存文件再用 Python 读取,不要用 | python3

约束

  • 单次诊断总耗时不超过 10 分钟(含自纠重试),超时立即输出已有结论并告知用户
  • 监控数据仅保留 15 天,时间格式 ISO 8601 + 时区
  • 严禁编造数据。获取失败或为空如实告知,不确定标注"未确认"
  • 禁止无限循环:同一操作(如 tccli 命令)最多重试 2 次,2 次仍失败则输出错误信息并停止
  • tccli 命令失败时:不要反复猜测参数格式,改用 prefetch.py / diagnose.py 脚本完成诊断
  • 过程中禁止自己创建新脚本、直接修改原脚本等操作

Comments

Loading comments...