MigraQ 安全扫描报告 — 低风险 | ClawSafe

20 /100

MigraQ

腾讯云迁移平台（CMG/MSP）全流程能力，支持跨云资源扫描、选型推荐、TCO分析与迁移方案规划

Legitimate Tencent Cloud migration skill with no malicious behavior; minor doc inconsistencies and credential-persistence instructions do not constitute security threats.

技能名称MigraQ

分析耗时62.6s

引擎pi

✓

可以安装

Address the API reference mismatch (Bearer vs TC3) and clarify shell tool usage in declarations; otherwise safe to use.

安全发现 3 项

严重性	安全发现	位置
低危	API reference documents Bearer token auth but code uses TC3-HMAC-SHA256 文档欺骗 The API reference file (references/api/MigraQChatCompletions.md) states 'Authorization: Bearer <TENCENTCLOUD_SECRET_KEY>', but both Python scripts implement TC3-HMAC-SHA256 signing. The SKILL.md correctly describes TC3 signing. Both methods are legitimate Tencent Cloud auth patterns, but the inconsistency in the API reference could mislead integrators. `鉴权: 使用腾讯云 AK/SK 鉴权：Authorization: Bearer <TENCENTCLOUD_SECRET_KEY>` → Update the API reference to accurately reflect TC3-HMAC-SHA256 signing, matching the implementation in migrateq_sse_api.py and check_env.py	`references/api/MigraQChatCompletions.md:12`
低危	Credentials instructed to be written to shell config files 敏感访问 SKILL.md instructs users to append TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY to ~/.zshrc using echo commands. While this is explicitly documented (not hidden), writing secrets to disk in plaintext is a risky practice. The documentation acknowledges the risk ('请确保不要将该文件提交到 Git 仓库'). `echo 'export TENCENTCLOUD_SECRET_ID="your-secret-id"' >> ~/.zshrc` → Recommend using environment variables or a secrets manager instead of persisting to shell config files. If shell config persistence is required, note the risk prominently.	`SKILL.md:76`
提示	No dependency pinning — pure standard library 供应链 Scripts use only Python standard library (urllib, ssl, json, hashlib, hmac, uuid, threading). The certifi import is attempted as a fallback for SSL context but gracefully degrades to create_default_context() if unavailable. No requirements.txt or package.json exists. `try: import certifi; except ImportError: return ssl.create_default_context()` → No action needed; standard library usage is secure and avoids supply chain risk.	`scripts/migrateq_sse_api.py:98`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Scripts read SKILL.md front matter for version info; no other file reads
文件系统	`WRITE`	`WRITE (indirect)`	✓ 一致	SKILL.md instructs echo >> ~/.zshrc for credential persistence; documented behav…
命令执行	`WRITE`	`WRITE (indirect)`	✓ 一致	SKILL.md instructs Bash commands to write credentials; documented behavior
网络访问	`READ`	`READ`	✓ 一致	HTTPS requests to cmg.ai.tencentcloudapi.com and msp.cloud.tencent.com (version …
环境变量	`READ`	`READ`	✓ 一致	Reads TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, CMG_REGION from os.enviro…
剪贴板	`NONE`	`NONE`	—	No clipboard access observed
浏览器	`NONE`	`NONE`	—	No browser access observed
数据库	`NONE`	`NONE`	—	No database access observed

5 项发现

🔗

中危外部 URL 外部 URL

https://cmg.ai.tencentcloudapi.com

SKILL.md:22

🔗

中危外部 URL 外部 URL

https://msp.cloud.tencent.com

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/cam/capi

SKILL.md:66

🔗

中危外部 URL 外部 URL

https://msp.cloud.tencent.com/skill/version

scripts/check_env.py:48

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com/document/api/213/30654

scripts/migrateq_sse_api.py:168

目录结构

5 文件 · 55.9 KB · 1356 行

Python 2f · 914L Markdown 2f · 442L

├─ ▾ 📁 icons

│ └─ 📦 tencent_cloud_migration.svg 7.1 KB

├─ ▾ 📁 references

│ └─ ▾ 📁 api

│ └─ 📝 MigraQChatCompletions.md Markdown 123L · 4.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 check_env.py Python 401L · 15.2 KB

│ └─ 🐍 migrateq_sse_api.py Python 513L · 17.5 KB

└─ 📝 SKILL.md Markdown 319L · 12.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`None (standard library only)`	`N/A`	stdlib	否	No external dependencies; urllib, ssl, json, hashlib, hmac, uuid, threading are all from Python stdlib

安全亮点

✓ No obfuscation techniques (base64, eval, atob) observed in any script

✓ No credential harvesting beyond declared Tencent Cloud AK/SK (TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY)

✓ No data exfiltration — all network traffic stays within declared Tencent Cloud endpoints

✓ No iteration through os.environ for sensitive keys — only reads explicitly named variables

✓ No reverse shell, C2, or remote code execution patterns

✓ No hidden instructions in HTML comments or other stealth mechanisms

✓ No suspicious external IP addresses or domains

✓ Pure Python standard library — no third-party dependencies that could introduce supply chain risk

✓ AK/SK credentials are not written to logs or local files by the scripts

✓ SSL certificate validation is enabled by default (with certifi as preferred CA bundle)

✓ Scripts validate credentials before use and return structured error messages

✓ Version checking is done via a dedicated endpoint with timeout protection