中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
CloudQ
Multi-cloud management & Smart Advisor with architecture visualization, risk assessment & AI-powered O&M for Tencent Cloud
CloudQ is a legitimate Tencent Cloud Smart Advisor management tool with comprehensive documentation, proper consent workflows for IAM operations, and no malicious behavior detected.
Skill NameCloudQ
Duration40.6s
Enginepi
Safe to install
This skill is safe to use. Ensure users understand they need to provide Tencent Cloud AK/SK credentials and consent to IAM role creation for full functionality.

Findings 1 items

Severity Finding Location
Low
clawhub CLI not formally declared in IAM/security table
check_env.py uses clawhub inspect as L2 version check fallback, but this is not explicitly listed in Section 8.2 IAM operations table. However, it is declared in get_remote_info() function comments and is a documented fallback.
def _get_info_via_clawhub(slug: str) -> dict | None:
    import subprocess
    result = subprocess.run(["clawhub", "inspect", slug, "--versions", "--json"], ...)
→ Consider adding clawhub CLI to the IAM/security section in SKILL.md for complete transparency.
 check_env.py:196
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md metadata + Bash tool usage + config writes to ~/.tencent-cloudq/
Network READ READ ✓ Aligned Only connects to *.tencentcloudapi.com, cloud.tencent.com, clawhub.ai
Shell WRITE WRITE ✓ Aligned Bash tool + subprocess calls within scripts
Environment READ READ ✓ Aligned Only reads TENCENTCLOUD_* variables, never exfiltrates
Skill Invoke NONE NONE N/A
Clipboard NONE NONE N/A
Browser NONE NONE N/A
Database NONE NONE N/A
18 findings
🔗
Medium External URL 外部 URL
https://*.tencentcloudapi.com
SKILL.md:8
🔗
Medium External URL 外部 URL
https://cloud.tencent.com
SKILL.md:8
🔗
Medium External URL 外部 URL
https://clawhub.ai
SKILL.md:8
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/developer/article/2645159)
SKILL.md:29
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/cam/capi
SKILL.md:67
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/cam/role
SKILL.md:241
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/advisor?hideTopNav=true
SKILL.md:385
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/
SKILL.md:492
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/login/roleAccessCallback?algorithm=sha256&secretId=...&token=...&signature=...&s_url=...
SKILL.md:516
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/advisor?hideTopNav=true&archId=arch-gvqocc25
SKILL.md:517
🔗
Medium External URL 外部 URL
https://clawhub.ai/api/v1/skills/
check_env.py:237
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/advisor
check_env.py:614
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/advisor?archId=arch-gvqocc25
scripts/login_url.py:10
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/login/roleAccessCallback?
scripts/login_url.py:301
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/cam/role/detail?roleName=
scripts/setup_role.py:364
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/document/product/213/30654
scripts/tcloud_api.py:4
🔗
Medium External URL 外部 URL
https://console\.cloud\.tencent\.com[^\s\
scripts/tcloud_sse_api.py:325
🔗
Medium External URL 外部 URL
https://console\.cloud\.tencent\.com/advisor/cloudq(\?|/|$
scripts/tcloud_sse_api.py:331

File Tree

11 files · 131.7 KB · 3743 lines
Python 7f · 2986L Markdown 3f · 751L JSON 1f · 6L
├─ 📁 references
│ └─ 📁 api
│ ├─ 📝 CloudQChatCompletions.md Markdown 56L · 1.9 KB
│ └─ 📝 CreateAdvisorAuthorization.md Markdown 64L · 1.6 KB
├─ 📁 scripts
│ ├─ 🐍 cleanup.py Python 391L · 12.4 KB
│ ├─ 🐍 create_role.py Python 259L · 8.4 KB
│ ├─ 🐍 login_url.py Python 388L · 12.8 KB
│ ├─ 🐍 setup_role.py Python 496L · 16.1 KB
│ ├─ 🐍 tcloud_api.py Python 283L · 8.8 KB
│ └─ 🐍 tcloud_sse_api.py Python 521L · 16.4 KB
├─ 📋 _meta.json JSON 6L · 126 B
├─ 🐍 check_env.py Python 648L · 23.3 KB
└─ 📝 SKILL.md Markdown 631L · 29.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
certifi not specified pip (optional) No Used for SSL certificate verification - legitimate security dependency

Security Positives

✓ All network requests limited to official Tencent Cloud domains (*.tencentcloudapi.com, cloud.tencent.com)
✓ Credentials only read from environment variables, never exfiltrated
✓ IAM write operations (CreateRole, DeleteRole, AttachRolePolicy) require explicit user consent
✓ Configuration files use proper permissions (700 for directories, 600 for files)
✓ STS temporary credentials only stored in memory, not persisted
✓ Complete documentation with consent workflows for sensitive operations
✓ Cleanup script provided for removing all local and cloud artifacts
✓ No base64-encoded payloads, eval(), or dynamic code execution
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No curl|bash or wget|sh remote script execution
✓ Cross-account data access is explicitly blocked