Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TencentCloud Lighthouse
v1.2.0管理腾讯云轻量应用服务器,实现创建、删除、开关机、查询状态及促销方案查询与成本控制。
⭐ 0· 100·0 current·0 all-time
bysuperStupidBear@ugpoor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and instructions: this is a Lighthouse management skill that uses the Tencent Cloud SDK to create/query/manage instances. However the registry metadata declares no required environment variables or primary credential while both SKILL.md and the Python code require Tencent Cloud API keys — that discrepancy is unexpected.
Instruction Scope
SKILL.md instructions stay within the scope of managing Lighthouse: installing tccli, installing the Python SDK, creating .env with TENCENT_SECRET_ID/TENCENT_SECRET_KEY, and examples for listing/creating instances. The instructions reference reading a .env and running local verify scripts (e.g., config/.env and src/verify_config.py) which is consistent with setup but requires care since it accesses credentials.
Install Mechanism
No install spec in registry (instruction-only plus code shipped). The SKILL.md suggests pip installing tencentcloud-sdk-python and python-dotenv and brew installing tccli — these are normal, public packages/tools. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill legitimately needs Tencent Cloud API keys to operate, but the registry metadata lists no required env vars. SKILL.md recommends storing credentials in .env and requests broad permissions (lighthouse:* and vpc:*). Broad service-level permissions are functionally plausible for lifecycle operations but increase risk; the metadata omission and broad allow policy together make credential handling a concern.
Persistence & Privilege
Skill does not request always:true and does not declare installation behaviors that modify other skills or global agent settings. Autonomous invocation is allowed by default (normal) and not by itself a red flag here.
What to consider before installing
This skill appears to implement what it claims (Lighthouse management) and needs your Tencent Cloud API keys to function — which is expected — but the registry metadata incorrectly states no required env vars. Before installing: (1) only use sub-user API keys with the minimum necessary permissions (avoid giving full account access); (2) narrow the IAM policy instead of using lighthouse:*/vpc:* if possible; (3) do not commit .env to source control and rotate keys regularly; (4) review the shipped Python files (e.g., verify_config.py and the rest of src/lighthouse_manager.py) to confirm there are no unexpected network endpoints or exfiltration; (5) prefer installing and running this in an isolated environment (or sandbox) and verify behavior with test credentials; and (6) ask the publisher to correct the registry metadata to declare the required env vars and to explain why each permission is needed. If you cannot verify the source or code, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
cloudvk977gd08460g1rc7ya8crq4k6x83v9s2latestvk971jpz7qjy70d3fn78g5b8c8d83vmz6lighthousevk977gd08460g1rc7ya8crq4k6x83v9s2tencentcloudvk977gd08460g1rc7ya8crq4k6x83v9s2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.