腾讯首发素材消耗查询
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill appears to perform the advertised Tencent Ads query, but its first-use setup can automatically install an unpinned global npm dependency and it asks to store a Tencent Ads API key.
Review the dependency setup before installing. Prefer manually installing a verified, pinned tencentads-cli version, confirm the tencentads-management and tencentads-auth skills are trusted, and use only a scoped Tencent Ads API key for the specific accounts and date ranges you intend to query.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Before the report query runs, the agent may execute newly downloaded dependency code under your user account.
The first-use flow directs dependency installation from a remote HTTP URL and tells the agent to install an unpinned global npm package if missing. Global npm installs can execute package scripts, and @latest can change over time.
`根据 http://skills.ad.qq.com/install/tencentads.md 安装腾讯营销投放技能` ... `npm install tencentads-cli@latest -g`
Manually verify the Tencent Ads dependency source, prefer HTTPS, pin or review the npm package version, and approve any global install before allowing the skill to run it.
Anyone or anything with access to the saved key may be able to query Tencent Ads data within that key's permissions.
The skill asks the user to provide a Tencent Ads API key and saves it through a separate auth script. This is expected for a Tencent Ads reporting skill, but it grants persistent access to advertising account data.
获取后请将 API Key 发给我,我会自动保存。 ... node scripts/auth-save-apikey.mjs --api-key <用户提供的KEY>
Use a scoped, revocable API key; verify where it is stored; rotate it if exposed; and avoid providing broader account permissions than the query requires.
If the dependent tencentads-management skill is tampered with, this skill would execute its report helper while running the query.
The included script executes a sibling management skill's report script through the shell. The argument is internally base64-encoded JSON and the behavior matches the advertised dependency, but it relies on that sibling skill being trustworthy.
const cmd = `node scripts/query-report.mjs --base64 ${base64}`; ... execSync(cmd, { cwd: MGMT_SKILLInstall the dependency only from a trusted source and review or pin the dependent skill before using this query skill with real credentials.