hwc-infra 安全扫描报告 — 可信 | ClawSafe

5 /100

hwc-infra

华为云基础设施管理助手，基于 KooCLI (hcloud)

Legitimate Huawei Cloud infrastructure management skill using KooCLI with properly declared capabilities and no malicious behavior.

技能名称hwc-infra

分析耗时31.4s

引擎pi

✓

可以安装

No action needed. This is a well-documented cloud infrastructure management tool.

安全发现 1 项

严重性	安全发现	位置
低危	Download without integrity verification The script downloads binaries from Huawei Cloud OBS without verifying checksums or signatures. While the URLs are official Huawei Cloud endpoints, adding SHA256 verification would improve security posture. `urllib.request.urlretrieve(url, dest)` → Consider adding checksum verification for downloaded binaries.	`scripts/install_koocli.py:55`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md:26, scripts/install_koocli.py:148-152
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:29, scripts/install_koocli.py:55-68
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:26, scripts/install_koocli.py:161-175
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:36

7 项发现

🔗

中危外部 URL 外部 URL

https://support.huaweicloud.com/qs-hcli/hcli_02_003.html

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/

scripts/install_koocli.py:21

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-linux-amd64.tar.gz

scripts/install_koocli.py:23

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-linux-arm64.tar.gz

scripts/install_koocli.py:24

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-windows-amd64.zip

scripts/install_koocli.py:25

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-mac-amd64.tar.gz

scripts/install_koocli.py:27

🔗

中危外部 URL 外部 URL

https://cn-north-4-hdn-koocli.obs.cn-north-4.myhuaweicloud.com/cli/latest/huaweicloud-cli-mac-arm64.tar.gz

scripts/install_koocli.py:28

目录结构

3 文件 · 11.4 KB · 384 行

Python 1f · 234L Markdown 2f · 150L

├─ ▾ 📁 references

│ └─ 📝 hcloud-queries.md Markdown 70L · 1.5 KB

├─ ▾ 📁 scripts

│ └─ 🐍 install_koocli.py Python 234L · 7.2 KB

└─ 📝 SKILL.md Markdown 80L · 2.7 KB

安全亮点

✓ SKILL.md clearly documents all capabilities and installation procedures

✓ Credential handling follows security best practices (not exposing AK/SK)

✓ Write operations require explicit user confirmation as declared

✓ Uses official Huawei Cloud OBS URLs for downloads

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No credential harvesting or data exfiltration observed

✓ No base64/encoded payloads or obfuscated code

✓ subprocess usage is minimal and only for CLI verification