ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Architecture Dashboard & Risk Review

v1.4.0

Architecture dashboard with integrated risk review. Monitor architecture health, track risk items, and get Well-Architected scores.

0· 51·0 current·0 all-time
by@stinggit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (architecture health, Well‑Architected scores) align with using Tencent Cloud Smart Advisor APIs. Required environment variables (TENCENTCLOUD_SECRET_ID / TENCENTCLOUD_SECRET_KEY), python3, network access to advisor.tencentcloudapi.com, and local config under ~/.tencent-cloudq/ are expected for that purpose. Minor inconsistency: SKILL.md sometimes describes the role/policy as 'QcloudAdvisorFullAccess (read-only)', but elsewhere the role creation text lists both QcloudTAGFullAccess and QcloudAdvisorFullAccess with fuller privileges — clarify which exact policies will be attached.
!
Instruction Scope
The runtime instructions explicitly tell users to permanently write SecretId/SecretKey into shell startup files (~/.bashrc or ~/.zshrc). Persisting long‑term AK/SK in plain shell rc is unnecessary and poor security practice; safer alternatives (temporary STS tokens, OS-level secret storage) are not recommended. The skill includes scripts that will create IAM roles and attach policies (create_role.py, cleanup.py). SKILL.md states role creation is gated on explicit user consent, which is good, but the documentation contains conflicting wording about which policies and level of access will be granted — user must verify create_role.py content before consenting. check_env.py will also call APIs to validate keys (DescribeArchList), which is expected, but it may perform a remote version check using a 'clawhub' subprocess (see install/binary notes).
Install Mechanism
No external install spec (instruction-only) but the skill bundles multiple Python scripts that will be executed locally. There are no remote download URLs in the install metadata. Risk is limited to local execution of included scripts; user should inspect scripts before running. One operational mismatch: check_env.py invokes a 'clawhub' subprocess to query remote version info but 'clawhub' is not declared as a required binary — this is a robustness / transparency gap (not necessarily malicious).
!
Credentials
The only required credentials are TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY, which is appropriate for calling Tencent Cloud APIs. However: (1) SKILL.md instructs users to persist these credentials in shell rc files (unduly broad and risky); (2) the role creation flow mentions attaching policies whose scope is inconsistently described (read-only vs full access and an additional QcloudTAGFullAccess policy), which could grant more privileges than the user expects. The skill says temporary credentials are used in memory only and that it will not persist AK/SK, but it still directs the user to permanently write them into shell rc — this is poor practice and disproportionate to safe usage.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It stores its own config at ~/.tencent-cloudq/config.json (role ARN only) and provides cleanup.py to remove created role/config. That scope is reasonable provided you review scripts. It does not appear to alter other skills or global agent settings.
What to consider before installing
This skill is plausibly what it says (a Tencent Cloud Smart Advisor helper) but has several things you should verify before installing or running any scripts: 1) Inspect scripts/create_role.py and scripts/cleanup.py to confirm exactly which IAM policies will be attached and whether they are read‑only or grant broader permissions. Do not consent to role creation until you understand the attached policies. 2) Do NOT blindly follow the SKILL.md instruction to permanently write your SecretId/SecretKey into ~/.bashrc / ~/.zshrc — storing long‑term API keys in shell startup files is risky. Prefer using short‑lived STS credentials, a secure OS keyring, or environment injection for the current session only. 3) Run check_env.py in a safe environment first (e.g., inspect it, run with --quiet and --skip-update) to see what it would call; note it may try to call 'clawhub' for a version check if present. 4) Confirm that temporary credentials (if used) are indeed kept only in memory and that no script logs or writes your SecretKey. 5) If you accept role creation, plan to review and/or delete the created role via CAM console or the provided cleanup.py. If uncertain, treat this skill as untrusted until you or your security team has reviewed the included scripts and the exact IAM actions they perform.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qsk8bm0kgjx206w3r2hw0983ht91

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
Binspython3
EnvTENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY

Comments