ClawHub
Back to skill

Security audit

TCCLI - 腾讯云命令行工具

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tencent Cloud CLI reference, but users should handle cloud credentials and live infrastructure commands carefully.

Install this only if you need Tencent Cloud CLI help. Use least-privilege Tencent Cloud credentials, avoid exposing secrets in shared terminals, logs, screenshots, or repositories, and verify the account, region, instance IDs, domains, DNS values, and certificate IDs before running any write command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to configure long-lived cloud credentials directly in the CLI but does not include any guidance on secure handling, least privilege, rotation, or avoiding exposure in shell history and shared environments. In a cloud-management skill, this omission increases the chance of credential leakage or unsafe operational practices that could lead to unauthorized access to Tencent Cloud resources.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill includes operational commands that can start, stop, reboot instances, modify firewall rules, deploy certificates, and change DNS records, yet it provides no warning that these actions affect live infrastructure and may cause outages or security exposure. Because this is an infrastructure administration skill, these commands are contextually legitimate, but the lack of safety framing makes accidental misuse more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.