ClawHub

CLS CLI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Tencent Cloud CLS management helper, but it gives an agent broad cloud-changing authority and handles secrets in ways users should review carefully.

Install only if you are comfortable giving this skill Tencent Cloud CLS authority. Use least-privilege or temporary credentials, avoid pasting secrets into chats or command-line flags, review any generated command before running it, and require explicit confirmation before create/update/delete or raw API actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly documents a generic `cls-cli api <Action> --params '<JSON>'` interface that can invoke any of 150+ CLS API actions, bypassing the narrower helper-command surface described elsewhere. In an agent skill context, this materially increases risk because natural-language requests can be translated into arbitrary cloud control-plane operations, including destructive or privilege-impacting actions not otherwise constrained by the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly encourages loading the skill into AI coding tools so the agent can automatically install, configure, and use a cloud-management CLI, including commands that create, update, and delete alarms, topics, collectors, dashboards, and machine groups. Without prominent warnings about requiring user confirmation for state-changing actions, least-privilege credentials, and dry-run/default-safe behavior, an agent could perform destructive or costly cloud operations from ambiguous natural-language prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users and AI-assisted workflows to supply Tencent Cloud secrets via command-line flags and environment variables, but it provides no warning that secrets entered on the command line may be exposed through shell history, process listings, logs, transcripts, or agent telemetry. In the context of an AI-agent skill, this is more dangerous because the agent may echo, store, or transmit credentials while automating setup.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The installation step combines cloning code from the internet, building it locally, moving a binary into `/usr/local/bin`, and deleting a temporary directory, all in a single chained command with no explicit warning about system modification. This is risky in a skill because users or agents may run it blindly, obscuring review of each step and normalizing privileged system changes from unvetted source code.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to pass cloud secrets directly on the command line via `--secret-id` and `--secret-key`, which can expose credentials through shell history, process listings, logs, or agent telemetry. Although environment variables are mentioned, there is no warning steering users away from command-line secret entry or explaining safer handling practices.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents destructive operations such as deleting topics, alarms, dashboards, machine groups, and collectors, and also advertises `-y` to skip dangerous-operation confirmations without a strong safety warning. In an agent setting, this makes accidental or prompt-induced destructive cloud actions more likely, especially when combined with natural-language intent mapping.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command reads SecretKey from standard terminal input using a normal buffered reader, so the credential is echoed visibly on screen as the user types. This can expose secrets to shoulder-surfing, screen recording, terminal session logging, or shared shell histories/workflows, which is especially risky because the feature is explicitly intended to collect cloud API credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The `+init` command prints a shell command containing `SecretID` and `SecretKey` in cleartext. If the user copies or runs that command on a shared system, the credentials may be exposed via terminal history, process listings, logs, shell auditing, clipboard managers, or support screenshots, potentially allowing full compromise of the associated cloud account resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal