ClawHub

TencentCloud Lighthouse

Security checks across malware telemetry and agentic risk

Overview

This is a real Tencent Cloud Lighthouse management skill, but it gives an agent broad cloud control that can create, renew, stop, reboot, or delete servers with limited built-in safeguards.

Install only if you intentionally want the agent to control Tencent Cloud Lighthouse resources. Use a dedicated subuser with the narrowest practical permissions, restrict regions and resources where possible, require manual approval before create/delete/reboot/renew actions, keep backups before deletion, and do not print or paste .env credentials into chat or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly advertises creating and deleting Lighthouse servers, but the nearby documentation does not clearly warn that provisioning will incur real cloud charges and that deletion can permanently remove instances and attached data. In a cloud-management skill, missing these warnings increases the risk of unintended spend and destructive actions by users or downstream agents.

Missing User Warnings

High
Confidence
96% confidence
Finding
The delete_instance method directly calls TerminateInstances on the supplied instance ID with no confirmation step, safeguard, dry-run mode, or visibility into what will be deleted. In an automation skill that manages real cloud infrastructure, a mistaken call, bad input, or prompt-driven misuse can irreversibly destroy production resources and cause service outage or data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal