Cloud Architecture Discovery
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill broadly matches Tencent Cloud architecture discovery, but it asks for powerful cloud credentials and IAM roles, weakens HTTPS verification in helper scripts, and includes unrelated bulk-publishing anti-spam-evasion guidance.
Review carefully before installing. If you proceed, use a dedicated least-privilege Tencent Cloud account or temporary credentials, do not use root/admin long-lived keys, verify and narrow the CAM policies manually, approve role creation only if needed, and ensure the helper scripts keep HTTPS certificate verification enabled.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user provides broad Tencent Cloud keys, the agent may gain authority to create roles and grant full tag/advisor access in the cloud account.
The skill requires persistent Tencent Cloud API credentials and can use them to create/attach IAM policies with full read-write permissions, which is high-impact authority for a discovery-oriented skill.
`TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` ... `环境变量必须永久写入 shell 配置文件`; later: `QcloudTAGFullAccess`(标签全读写权限)、`QcloudAdvisorFullAccess`(智能顾问全读写权限)
Use a dedicated least-privilege subaccount or temporary credentials, review the exact CAM permissions before approval, and avoid storing broad long-lived keys permanently.
A user could approve role creation believing it is read-only when the listed policies include broader read-write authority.
The documentation gives inconsistent and misleading descriptions of the permissions, presenting a FullAccess policy as read-only before later describing full read-write access.
`QcloudAdvisorFullAccess`(智能顾问只读访问权限,不影响其他云资源) ... later: `QcloudTAGFullAccess`(标签全读写权限)、`QcloudAdvisorFullAccess`(智能顾问全读写权限)
Correct the permission description, clearly state all managed policies and their impact, and require explicit confirmation for each write-capable policy.
A network attacker could more easily intercept or tamper with cloud API traffic or login-link generation.
The static scan reports disabled HTTPS certificate/hostname verification in the API client; this helper handles authenticated Tencent Cloud API requests.
ctx.check_hostname = False
Use Python's default verified HTTPS context and remove any code that disables certificate or hostname verification.
This provenance signal undermines trust in the package and suggests it may be part of a template-spam or mass-publishing workflow rather than a focused user tool.
The package includes unrelated guidance for bulk-publishing many similar skills, rotating tokens, and reducing detection risk, which is incompatible with the stated cloud architecture discovery purpose.
`ClawHub ... 反垃圾机制` ... `PUBLISH_INTERVAL = 45秒` ... `MAX_PER_TOKEN = 3` ... `降低被检测风险` ... `修改 metadata 中的权限和依赖`
Do not install until the publisher removes unrelated publishing automation, provides a verifiable source/homepage, and explains the package provenance.