ClawHub
Skill flagged — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

Tencent Cloud Lighthouse

Load when: user mentions Lighthouse, 轻量应用服务器, 轻量服务器, or asks to check/create/manage/deploy Lighthouse instances, deploy applications to Lighthouse, manage Lighthouse firewall rules, reset Lighthouse password, view Lighthouse snapshots/images/traffic, monitor Lighthouse metrics, run commands on Lighthouse via TAT, or asks to get/identify the current instance ID. Trigger phrases: "查看轻量服务器", "Lighthouse实例", "轻量应用服务器", "部署应用", "部署程序", "部署到Lighthouse", "管理防火墙规则", "重置密码", "查看快照", "查看流量包", "获取实例ID", "查看实例ID", "当前实例", "实例IP", "check Lighthouse", "create Lighthouse", "deploy app", "deploy application", "Lighthouse firewall", "Lighthouse snapshot", "instance ID", "whoami". NOT for CVM, CBS, VPC, or other non-Lighthouse products.

Audits

Suspicious
ClawScanSuspicious

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install tencentcloud-lighthouse-skill

Lighthouse Cloud Server Operations

Manage Tencent Cloud Lighthouse instances via tccli CLI.

Your knowledge of tccli parameters and API limits may be outdated. Always use tccli <service> <action> --help to verify parameters before execution.

Prerequisites

tccli --version

If not installed: pip install tccli

Credential Setup

MethodSecurityExpiryRecommendation
OAuth browser loginHighTemporary, expires in 2 hoursRecommended
AK/SK key pairLowPermanent unless revokedSpecial cases only

When the user has not chosen a method, default to OAuth.

OAuth Login (Recommended)

Use script/tccli-oauth-helper.sh for non-interactive OAuth login:

# Step 1: Check credential status
bash script/tccli-oauth-helper.sh --status

# Step 2: Generate authorization URL (if credentials are missing or expired)
bash script/tccli-oauth-helper.sh --get-url

# Step 3: User opens the URL in browser, completes login, and gets a base64 code

# Step 4: Complete login with the code
bash script/tccli-oauth-helper.sh --code "base64_code_from_browser"

# Step 5: Verify
tccli lighthouse DescribeRegions

Workflow:

  1. Run --status to check existing credentials
  2. If expired/missing, run --get-url — show the URL to user
  3. User opens URL → logs in → copies the base64 code from browser
  4. Run --code with the base64 code to complete login
  5. Verify with tccli lighthouse DescribeRegions

Notes:

  • Credentials are temporary (expires in ~2 hours)
  • State is valid for 10 minutes after --get-url
  • Do NOT use tccli sts GetCallerIdentity to verify — it does not support OAuth credentials

AK/SK Setup

Only if the user explicitly provides SecretId and SecretKey:

tccli configure set secretId <SecretId>
tccli configure set secretKey <SecretKey>
tccli configure set region ap-guangzhou

Logout

tccli auth logout

Quick Reference

TaskCommand
List instancestccli lighthouse DescribeInstances --region <region>
Instance detailstccli lighthouse DescribeInstances --region <region> --InstanceIds '["lhins-xxx"]'
Firewall rulestccli lighthouse DescribeFirewallRules --region <region> --InstanceId lhins-xxx
Monitoring datatccli monitor GetMonitorData --Namespace QCE/LIGHT_HOUSE ...
Run remote commandtccli tat RunCommand --region <region> --InstanceIds '["lhins-xxx"]' --Content "..."
Snapshotstccli lighthouse DescribeSnapshots --region <region>
Traffic packagestccli lighthouse DescribeInstancesTrafficPackages --region <region> --InstanceIds '["lhins-xxx"]'
Available regionstccli lighthouse DescribeRegions
Help for any actiontccli lighthouse <Action> --help
Get current instance IDbash script/whoami.sh or bash script/whoami.sh --id

Scenario Routing

Read the corresponding reference file before executing:

User wants to...
├─ Query / start / stop / reboot instances  -> references/instance-management.md
├─ Reset password / view blueprints         -> references/instance-management.md
├─ Deploy applications / verify deployment   -> references/application-deployment.md
├─ View CPU / memory / bandwidth metrics    -> references/monitoring-alerting.md
├─ Set up alarm policies                    -> references/monitoring-alerting.md
├─ Manage firewall rules                    -> references/firewall-management.md
├─ Execute commands on instance             -> references/remote-command-tat.md
├─ Create / restore snapshots               -> references/snapshot-blueprint.md
├─ Create custom images                     -> references/snapshot-blueprint.md
├─ Check traffic usage                      -> references/traffic-package.md
├─ Identify current instance (ID / IP)      -> bash script/whoami.sh [--id | --ip]
└─ Other operations                         -> tccli lighthouse --help

Operation Safety

RiskOperationsConfirmation
HighDelete instance, apply snapshot, delete snapshot/blueprintDouble confirm, state irreversibility
MediumStop/reboot instance, modify firewall, run commandsSingle confirm
LowQuery, list, describe, helpExecute directly

Rules:

  1. Region is required for all operations except DescribeRegions
  2. Query before modify — always Describe first, never blind Create / Delete
  3. Use real IDs — get InstanceId from DescribeInstances, never use placeholders
  4. Verify parameters — run --help when unsure about parameter names or formats
  5. Lighthouse and CVM are separate products — do NOT mix their APIs
  6. Create means new — when user asks to "create" / "deploy" / "set up" something (e.g., "create a server", "deploy an app"), create a NEW instance by default. Do NOT use existing instances unless the user explicitly specifies an existing instance ID.

Common Regions

CodeLocation
ap-beijingBeijing
ap-shanghaiShanghai
ap-guangzhouGuangzhou
ap-chengduChengdu
ap-chongqingChongqing
ap-nanjingNanjing
ap-hongkongHong Kong

Run tccli lighthouse DescribeRegions for the full list.

Channel Output Compatibility

Many messaging channels (WeChat, 企业微信, Slack, Teams, Telegram, etc.) apply Markdown rendering or Markdown-to-plain-text conversion before displaying messages. Common transformations that silently corrupt output:

  • Paired underscores stripped: _xxx_xxx (italic markers)
  • Paired asterisks stripped: *xxx*xxx (bold/italic markers)
  • Backslash escapes consumed or displayed literally
  • URLs with special characters mangled or truncated

This corrupts:

  • URLs containing underscores (e.g., redirect_url, app_id in OAuth links)
  • CLI output with underscored identifiers (e.g., instance_name, secret_id)
  • Script output containing underscored fields or special characters

Rules for all channel output:

  1. URLs: Replace _ (underscore) with %5F in any URL shown to the user. For example, the OAuth authorization URL parameters like redirect_url, app_id must use %5F instead of _.
  2. CLI / script output: Always wrap output in code blocks (triple backticks) to prevent Markdown interpretation. Prefer code blocks for any multi-line output containing underscores, asterisks, or other Markdown-sensitive characters.
  3. General text: Avoid bare underscores and asterisks in plain text. Use backtick-wrapped inline code for any identifier containing these characters (e.g., instance_name, secret_id).
  4. Links: When providing clickable links, ensure the full URL is inside a code block or use URL-encoding for special characters. Do not rely on Markdown link syntax [text](url) — the URL may be altered by the channel.

Error Handling

  1. Check credentials: tccli lighthouse DescribeRegions
  2. Verify the region parameter
  3. Run tccli lighthouse <Action> --help to confirm parameter format
  4. Check instance status: tccli lighthouse DescribeInstances --region <region>