Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TencentCloud Manager
v1.2.0腾讯云资源统一管理,支持CVM云服务器、Lighthouse轻量应用服务器和COS对象存储的创建、配置、运维及成本优化。
⭐ 0· 94·0 current·0 all-time
bysuperStupidBear@ugpoor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and code indicate a Tencent Cloud management tool that legitimately needs Tencent API credentials and the SDKs. That capability is coherent with the stated purpose. However the package metadata declares no required environment variables or primary credential while the runtime instructions and code clearly require TENCENT_SECRET_ID and TENCENT_SECRET_KEY — an inconsistency that could confuse users and automated installers.
Instruction Scope
SKILL.md instructs the agent/user to create a .env containing SecretId/SecretKey and to run pip installs for relevant SDKs — all expected. But the instructions reference a path (skills/tencentcloud-manager/config/.env.example) that is not present in the file manifest, and the SKILL.md refers to auxiliary sub-modules (tencentcloud_cvm, tencentcloud_lighthouse, tencentcloud_cos) that are imported by the main code but are not included in the bundle. The instructions also require creating sub-user credentials and granting broad cloud permissions (cvm/runInstances, cos:PutObject/DeleteObject, etc.) — appropriate for full management but risky if given to a package of unknown origin.
Install Mechanism
There is no automated install spec; dependencies are installed via pip as instructed. The requested packages are the official Tencent SDKs and python-dotenv — a reasonable approach. No downloads from unknown URLs or archive extraction are used.
Credentials
The skill requires Tencent API credentials (SecretId/SecretKey) and region, which match its purpose. But the registry metadata does not declare these required environment variables or a primary credential, creating a mismatch. The permission templates in docs ask for broad management rights (create/modify/ delete resources) which are functionally required for this tool but mean the keys must be scoped to a sub-user with minimum permissions. The code will raise errors if these env vars are missing, so the metadata omission is a practical/integrity issue.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or system-wide settings. It stores/reads credentials from a .env file (user-local) and supports an optional audit log in-memory. No evidence that it persists or escalates privileges beyond normal usage.
What to consider before installing
This skill appears to implement Tencent Cloud management and legitimately needs Tencent API keys, but there are mismatches and missing pieces you should resolve before installing or handing over credentials: 1) The registry metadata does NOT list the required environment vars, yet SKILL.md and the code require TENCENT_SECRET_ID and TENCENT_SECRET_KEY — treat that as a red flag and ask the publisher why metadata is incomplete. 2) Confirm the source and provenance (repository/homepage) — the skill's Source is unknown and no homepage is provided. 3) Verify the presence and contents of the referenced helper modules (tencentcloud_cvm, tencentcloud_lighthouse, tencentcloud_cos) — they are imported by the main code but are not bundled here; ensure they come from trusted packages. 4) Do NOT supply master account keys; create a scoped sub-user with the minimal permissions shown in docs and rotate keys regularly. 5) Inspect the full tencentcloud_manager.py and any helper modules for network calls or unexpected endpoints before trusting the keys. If you cannot validate the origin, avoid installing or providing credentials.Like a lobster shell, security has layers — review code before you run it.
cloudvk971t1md19pyfas67wy7v4h9rn83vk55latestvk976tmspdw5wbjswfcs107r07583vhg4tencentcloudvk971t1md19pyfas67wy7v4h9rn83vk55
License
MIT-0
Free to use, modify, and redistribute. No attribution required.