ClawHub

tencentcloud-tke-skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Tencent Cloud/Kubernetes admin skill, but it grants broad infrastructure authority and exposes live access tokens with weak safeguards.

Install only if you intend to let an agent administer Tencent Cloud TKE, Kubernetes, Helm, RBAC, and TCR resources. Use least-privilege cloud and kubeconfig credentials, pass an explicit kubeconfig and namespace, avoid production/admin contexts by default, and manually approve any delete, endpoint, Helm, RBAC, kubeconfig-add, token, or billing-related command. Treat generated tokens and kubeconfigs as secrets and do not paste them into chats, logs, repos, or shared tickets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tainted flow: 'target' from os.getenv (line 377, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 写回目标文件
    os.makedirs(os.path.dirname(os.path.abspath(target)), exist_ok=True)
    with open(target, 'w') as f:
        f.write(result.stdout)
    print(f"已将 {source} 合并到 {target}")
Confidence
84% confidence
Finding
with open(target, 'w') as f:

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises cluster operations, troubleshooting, Helm deployment, and registry management, but this section adds tenant provisioning, RBAC lifecycle management, token minting, and kubeconfig generation. That materially expands the authority surface beyond the stated purpose, making accidental over-granting and credential distribution much more dangerous in an agent context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code can mint Kubernetes ServiceAccount tokens on demand and print them directly to stdout or JSON output. In an agent skill, that enables direct credential extraction and lateral use of cluster access outside the intended troubleshooting workflow.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The prompt generator assembles a full kubeconfig with API server, CA data, namespace, and a live bearer token, then outputs installation instructions for external use. That is a turnkey credential-export mechanism, which is especially dangerous because it converts in-cluster administrative access into portable off-platform access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The function retrieves a ServiceAccount token and prints it directly to stdout or structured output, making accidental disclosure via logs, transcripts, agent memory, or terminal history very likely. Because the token is a bearer credential, anyone who obtains it can act with the bound RBAC permissions until expiry.

Missing User Warnings

High
Confidence
99% confidence
Finding
The generated prompt embeds a long-lived token by default (8760h) into a kubeconfig block intended to be copied and saved by a user. This creates durable credential exposure in chat logs, clipboard history, shell files, and any downstream systems that store the generated output.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI exposes a destructive delete operation for TCR instances, including an option to also delete the associated storage bucket, but performs it immediately with no confirmation prompt, dry-run mode, or explicit acknowledgement flag. In an agent or automation context, a mistaken invocation, wrong variable expansion, or prompt-induced misuse could irreversibly destroy infrastructure and stored artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Repository deletion is executed directly from user-supplied identifiers without any warning or confirmation barrier. This increases the chance of accidental deletion of container repositories, which can disrupt deployments and destroy retained images relied on by clusters or CI/CD pipelines.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Namespace deletion is a destructive registry operation and is performed without a user-facing warning, confirmation, or safeguard. In operational tooling, this can lead to broad unintended impact because a namespace often contains multiple repositories and affects downstream image consumers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal