hwc-infra Security Report — Trusted | ClawSafe

5 /100

hwc-infra

华为云基础设施管理助手，基于 KooCLI (hcloud)

Legitimate Huawei Cloud infrastructure management skill using KooCLI with properly declared capabilities and no malicious behavior.

Skill Namehwc-infra

Duration31.4s

Enginepi

✓

Safe to install

No action needed. This is a well-documented cloud infrastructure management tool.

Findings 1 items

Severity	Finding	Location
Low	Download without integrity verification The script downloads binaries from Huawei Cloud OBS without verifying checksums or signatures. While the URLs are official Huawei Cloud endpoints, adding SHA256 verification would improve security posture. `urllib.request.urlretrieve(url, dest)` → Consider adding checksum verification for downloaded binaries.	`scripts/install_koocli.py:55`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:26, scripts/install_koocli.py:148-152
Network	`READ`	`READ`	✓ Aligned	SKILL.md:29, scripts/install_koocli.py:55-68
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:26, scripts/install_koocli.py:161-175
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:36

7 findings

🔗

Medium External URL 外部 URL

https://support.huaweicloud.com/qs-hcli/hcli_02_003.html

SKILL.md:29

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/

scripts/install_koocli.py:21

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-linux-amd64.tar.gz

scripts/install_koocli.py:23

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-linux-arm64.tar.gz

scripts/install_koocli.py:24

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-windows-amd64.zip

scripts/install_koocli.py:25

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-mac-amd64.tar.gz

scripts/install_koocli.py:27

🔗

Medium External URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-mac-arm64.tar.gz

scripts/install_koocli.py:28

File Tree

3 files · 11.4 KB · 384 lines

Python 1f · 234L Markdown 2f · 150L

├─ ▾ 📁 references

│ └─ 📝 hcloud-queries.md Markdown 70L · 1.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 install_koocli.py Python 234L · 7.2 KB

└─ 📝 SKILL.md Markdown 80L · 2.7 KB

Security Positives

✓ SKILL.md clearly documents all capabilities and installation procedures

✓ Credential handling follows security best practices (not exposing AK/SK)

✓ Write operations require explicit user confirmation as declared

✓ Uses official Huawei Cloud OBS URLs for downloads

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No credential harvesting or data exfiltration observed

✓ No base64/encoded payloads or obfuscated code

✓ subprocess usage is minimal and only for CLI verification

Scan Report

Findings 1 items

File Tree

Security Positives