Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TencentCloud CVM
v1.2.0创建、管理腾讯云 CVM 云服务器实例,支持实例操作、促销查询、成本控制及安全组配置。
⭐ 0· 89·0 current·0 all-time
bysuperStupidBear@ugpoor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md and the included Python module all focus on Tencent Cloud CVM management and related VPC/CBS actions, so requested permissions (cvm/*, vpc/*, cbs/*) are proportionate to the stated purpose. However, the registry metadata claims no required environment variables or primary credential while both SKILL.md and the code clearly require TENCENT_SECRET_ID and TENCENT_SECRET_KEY — this mismatch is unexpected.
Instruction Scope
SKILL.md instructs the agent/user to install tccli, create API keys, populate a .env, and run verify_config.py. The instructions reference repository paths and files (config/.env.example, verify_config.py) that are not present in the file manifest. That incomplete packaging and the expectation that the user create and store long-lived cloud credentials increases risk and operational friction.
Install Mechanism
There is no formal install spec; SKILL.md suggests pip installing tencentcloud-sdk-python and python-dotenv. Those are reasonable dependencies for a Python SDK-based tool. Because there's no automated installer, nothing is silently downloaded during installation — but the skill files (Python) will be present and executed by the agent at runtime.
Credentials
The skill requires cloud API credentials (TENCENT_SECRET_ID/TENCENT_SECRET_KEY) and region/zone settings per SKILL.md and the code, which is appropriate for cloud management. However the registry metadata declares no required env vars/primary credential — that inconsistency is a red flag. The recommended policy scope (cvm:*, vpc:*, cbs:*) is broad but consistent with full VM management; the SKILL.md does advise creating a sub-user and avoiding main account keys (good), but least-privilege recommendations should be enforced.
Persistence & Privilege
The skill is not marked always:true and does not request any platform-level persistence or modifications to other skills. Model invocation is allowed (default), which is expected for an agent-invokable skill. No elevated platform privileges are requested.
What to consider before installing
Before installing: 1) Confirm the package includes the referenced helper files (config/.env.example, verify_config.py). SKILL.md references these but they are not in the manifest—missing files may break the skill. 2) Treat TENCENT_SECRET_ID/TENCENT_SECRET_KEY as sensitive: create a dedicated sub-user with the narrowest permissions needed (avoid using the root/main account). 3) Review the Python code (src/cvm_manager.py) yourself to ensure there are no unexpected network endpoints or telemetry. 4) Prefer creating a least-privilege policy (only actions actually required) rather than granting blanket cvm:*/vpc:*/cbs:* where possible. 5) Run the skill in a non-production or isolated environment first, and rotate/revoke keys after testing. 6) Consider asking the publisher to correct the registry metadata to list required env vars and to include the missing files or fix instructions; the current inconsistencies justify caution.Like a lobster shell, security has layers — review code before you run it.
cloudvk9726k41xkyw7jq701t13q19kn83vt96cvmvk9726k41xkyw7jq701t13q19kn83vt96latestvk97bxp0dt1fhpk73g8vwwwfavh83tkrktencentcloudvk9726k41xkyw7jq701t13q19kn83vt96
License
MIT-0
Free to use, modify, and redistribute. No attribution required.