Cloud Architecture Holistic View
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Tencent Cloud architecture purpose, but it asks for powerful cloud credentials, can create broad IAM roles, disables HTTPS verification in helper scripts, and contains unrelated guidance for evading ClawHub anti-spam publishing checks.
Review this skill carefully before installing. If you use it, create a narrowly scoped Tencent Cloud sub-account or temporary credentials, do not approve role creation until you verify the policies, and avoid running the helper scripts unless the TLS verification issue and provenance concerns are fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved or misused, the skill could gain broad access to Tencent Cloud advisor and tag functions, not just display architecture diagrams.
The skill requires long-lived Tencent Cloud credentials and can create/attach IAM roles with full read/write Tag and Advisor policies, which is high-impact account authority.
TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY ... cam:CreateRole, cam:AttachRolePolicy ... QcloudTAGFullAccess(标签全读写权限)、QcloudAdvisorFullAccess(智能顾问全读写权限)
Use a least-privilege Tencent Cloud sub-account or temporary credentials, verify the exact policies before approving role creation, and remove any created role when finished.
A user may approve role creation believing it is read-only when the documented permissions are broader.
The instructions first describe the policy as read-only and not affecting other resources, then later disclose full read/write Tag and Advisor permissions.
QcloudAdvisorFullAccess(智能顾问只读访问权限,不影响其他云资源) ... QcloudTAGFullAccess(标签全读写权限)、QcloudAdvisorFullAccess(智能顾问全读写权限)
The skill should accurately describe all permissions in one place and require explicit confirmation for each write-capable policy.
Network attackers could have an easier path to intercept or tamper with signed cloud API/login traffic.
The static scan reports HTTPS verification weakening in the Tencent Cloud API client, with the same pattern also reported in scripts/login_url.py.
ctx.check_hostname = False
Do not use the helper scripts until TLS verification is restored to the Python defaults and the affected files are reviewed.
This raises trust and provenance concerns: the skill may be part of a bulk/template publishing campaign rather than a carefully maintained integration.
The package includes unrelated instructions for bulk publishing many skills, rotating tokens, and changing content to reduce anti-spam detection.
ClawHub ... 反垃圾机制 ... MAX_PER_TOKEN = 3 - 每个 token 连续发 3 个后切换 ... 增强内容差异 ... 80 个技能
Verify the publisher and source repository before installing, and prefer a version without anti-spam evasion materials.