ClawHub

TencentCloud Manager

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud management skill is coherent, but it asks for broad cloud credentials and can create, stop, restart, and alter resources without strong safeguards.

Review before installing. Use a dedicated Tencent Cloud sub-user, avoid master-account keys, restrict policies to only the services, regions, buckets, and instances needed, remove COS DeleteObject unless required, keep .env out of version control with restricted permissions, set budget alerts, and require explicit human approval before create, stop, restart, upload, lifecycle, or batch operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents impactful actions such as instance creation, stop/start/restart, lifecycle changes, and batch operations, but the early overview does not prominently warn about service disruption, deletion risk, or unexpected charges. In an automation context, users may run examples directly, causing outages or financial impact if they misunderstand the effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to place Tencent cloud credentials into a local .env file and shows realistic secret variable names without a strong warning about leakage, file permissions, git exclusion, or safer alternatives such as secret managers. This increases the chance of credential exposure through version control, logs, screenshots, shell history, or overly permissive local storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal