ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TCCLI - 腾讯云命令行工具

v1.0.0

通过命令行方式管理和操作腾讯云200+云产品资源,支持实例查询、启动、停止、域名解析等功能。

1· 66·0 current·0 all-time
byGuanM@sxhoio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and instructions align: SKILL.md is a usage/cheat-sheet for the Tencent Cloud CLI (tccli) and shows commands for the listed services. Nothing in the instructions attempts unrelated actions.
Instruction Scope
The instructions tell the user/agent to run `pip3 install tccli` and to run `tccli configure set secretId/secretKey` (i.e., to provision cloud credentials) and then run management commands. The instructions do not request reading unrelated system files, but they do cause storage of secrets via the CLI's config (path not documented), which is relevant to user security.
Install Mechanism
There is no formal install spec in the manifest; the SKILL.md advises `pip3 install tccli` (PyPI). Installing from PyPI is common and the README links the official GitHub, but a network install still introduces risk (supply-chain / tampered package) that the user should vet.
!
Credentials
The SKILL.md requires cloud credentials (secretId and secretKey) to operate, but the skill metadata declares no required environment variables or primary credential. This mismatch (instructions asking for sensitive secrets while metadata doesn't declare them) is an omission that reduces transparency. Requesting these two credentials is appropriate for a cloud CLI, but users must recognize they are sensitive and should apply least privilege.
Persistence & Privilege
The skill is instruction-only and does not request 'always:true' or ask to change other skills or global agent settings. It does imply the CLI will persist credentials in its own config, which is expected behavior for a CLI tool.
What to consider before installing
This appears to be a straightforward guide for the official Tencent Cloud CLI, but before proceeding: (1) verify the tccli package source (PyPI package name and the linked GitHub repo) to ensure it is the official project; (2) prefer creating and using least-privilege credentials or temporary keys rather than root/full-admin keys; (3) confirm where tccli stores credentials on disk (so you can secure or remove them when done); (4) consider installing the CLI in an isolated environment (container or VM) if you are unsure; and (5) never paste credentials into public chat or logs. The main concern is the metadata omission of required credentials — likely an oversight but worth confirming with the publisher before installing.

Like a lobster shell, security has layers — review code before you run it.

clivk975f0yqenqbvpmg6a23mx375983r93fcloud-managementvk975f0yqenqbvpmg6a23mx375983r93fcvmvk975f0yqenqbvpmg6a23mx375983r93fdevopsvk975f0yqenqbvpmg6a23mx375983r93flatestvk975f0yqenqbvpmg6a23mx375983r93flighthousevk975f0yqenqbvpmg6a23mx375983r93fsslvk975f0yqenqbvpmg6a23mx375983r93ftencent-cloudvk975f0yqenqbvpmg6a23mx375983r93f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments