MigraQ Security Report — Low Risk | ClawSafe

20 /100

MigraQ

腾讯云迁移平台（CMG/MSP）全流程能力，支持跨云资源扫描、选型推荐、TCO分析与迁移方案规划

Legitimate Tencent Cloud migration skill with no malicious behavior; minor doc inconsistencies and credential-persistence instructions do not constitute security threats.

Skill NameMigraQ

Duration62.6s

Enginepi

✓

Safe to install

Address the API reference mismatch (Bearer vs TC3) and clarify shell tool usage in declarations; otherwise safe to use.

Findings 3 items

Severity	Finding	Location
Low	API reference documents Bearer token auth but code uses TC3-HMAC-SHA256 Doc Mismatch The API reference file (references/api/MigraQChatCompletions.md) states 'Authorization: Bearer <TENCENTCLOUD_SECRET_KEY>', but both Python scripts implement TC3-HMAC-SHA256 signing. The SKILL.md correctly describes TC3 signing. Both methods are legitimate Tencent Cloud auth patterns, but the inconsistency in the API reference could mislead integrators. `鉴权: 使用腾讯云 AK/SK 鉴权：Authorization: Bearer <TENCENTCLOUD_SECRET_KEY>` → Update the API reference to accurately reflect TC3-HMAC-SHA256 signing, matching the implementation in migrateq_sse_api.py and check_env.py	`references/api/MigraQChatCompletions.md:12`
Low	Credentials instructed to be written to shell config files Sensitive Access SKILL.md instructs users to append TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY to ~/.zshrc using echo commands. While this is explicitly documented (not hidden), writing secrets to disk in plaintext is a risky practice. The documentation acknowledges the risk ('请确保不要将该文件提交到 Git 仓库'). `echo 'export TENCENTCLOUD_SECRET_ID="your-secret-id"' >> ~/.zshrc` → Recommend using environment variables or a secrets manager instead of persisting to shell config files. If shell config persistence is required, note the risk prominently.	`SKILL.md:76`
Info	No dependency pinning — pure standard library Supply Chain Scripts use only Python standard library (urllib, ssl, json, hashlib, hmac, uuid, threading). The certifi import is attempted as a fallback for SSL context but gracefully degrades to create_default_context() if unavailable. No requirements.txt or package.json exists. `try: import certifi; except ImportError: return ssl.create_default_context()` → No action needed; standard library usage is secure and avoids supply chain risk.	`scripts/migrateq_sse_api.py:98`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	Scripts read SKILL.md front matter for version info; no other file reads
Filesystem	`WRITE`	`WRITE (indirect)`	✓ Aligned	SKILL.md instructs echo >> ~/.zshrc for credential persistence; documented behav…
Shell	`WRITE`	`WRITE (indirect)`	✓ Aligned	SKILL.md instructs Bash commands to write credentials; documented behavior
Network	`READ`	`READ`	✓ Aligned	HTTPS requests to cmg.ai.tencentcloudapi.com and msp.cloud.tencent.com (version …
Environment	`READ`	`READ`	✓ Aligned	Reads TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, CMG_REGION from os.enviro…
Clipboard	`NONE`	`NONE`	—	No clipboard access observed
Browser	`NONE`	`NONE`	—	No browser access observed
Database	`NONE`	`NONE`	—	No database access observed

5 findings

🔗

Medium External URL 外部 URL

https://cmg.ai.tencentcloudapi.com

SKILL.md:22

🔗

Medium External URL 外部 URL

https://msp.cloud.tencent.com

SKILL.md:23

🔗

Medium External URL 外部 URL

https://console.cloud.tencent.com/cam/capi

SKILL.md:66

🔗

Medium External URL 外部 URL

https://msp.cloud.tencent.com/skill/version

scripts/check_env.py:48

🔗

Medium External URL 外部 URL

https://cloud.tencent.com/document/api/213/30654

scripts/migrateq_sse_api.py:168

File Tree

5 files · 55.9 KB · 1356 lines

Python 2f · 914L Markdown 2f · 442L

├─ ▾ 📁 icons

│ └─ 📦 tencent_cloud_migration.svg 7.1 KB

├─ ▾ 📁 references

│ └─ ▾ 📁 api

│ └─ 📝 MigraQChatCompletions.md Markdown 123L · 4.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 check_env.py Python 401L · 15.2 KB

│ └─ 🐍 migrateq_sse_api.py Python 513L · 17.5 KB

└─ 📝 SKILL.md Markdown 319L · 12.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`None (standard library only)`	`N/A`	stdlib	No	No external dependencies; urllib, ssl, json, hashlib, hmac, uuid, threading are all from Python stdlib

Security Positives

✓ No obfuscation techniques (base64, eval, atob) observed in any script

✓ No credential harvesting beyond declared Tencent Cloud AK/SK (TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY)

✓ No data exfiltration — all network traffic stays within declared Tencent Cloud endpoints

✓ No iteration through os.environ for sensitive keys — only reads explicitly named variables

✓ No reverse shell, C2, or remote code execution patterns

✓ No hidden instructions in HTML comments or other stealth mechanisms

✓ No suspicious external IP addresses or domains

✓ Pure Python standard library — no third-party dependencies that could introduce supply chain risk

✓ AK/SK credentials are not written to logs or local files by the scripts

✓ SSL certificate validation is enabled by default (with certifi as preferred CA bundle)

✓ Scripts validate credentials before use and return structured error messages

✓ Version checking is done via a dedicated endpoint with timeout protection

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives