CloudQ 安全扫描报告 — 可信 | ClawSafe

5 /100

CloudQ

Multi-cloud management & Smart Advisor with architecture visualization, risk assessment & AI-powered O&M for Tencent Cloud

CloudQ is a legitimate Tencent Cloud Smart Advisor management tool with comprehensive documentation, proper consent workflows for IAM operations, and no malicious behavior detected.

技能名称CloudQ

分析耗时40.6s

引擎pi

✓

可以安装

This skill is safe to use. Ensure users understand they need to provide Tencent Cloud AK/SK credentials and consent to IAM role creation for full functionality.

安全发现 1 项

严重性	安全发现	位置
低危	clawhub CLI not formally declared in IAM/security table check_env.py uses clawhub inspect as L2 version check fallback, but this is not explicitly listed in Section 8.2 IAM operations table. However, it is declared in get_remote_info() function comments and is a documented fallback. `def _get_info_via_clawhub(slug: str) -> dict \| None: import subprocess result = subprocess.run(["clawhub", "inspect", slug, "--versions", "--json"], ...)` → Consider adding clawhub CLI to the IAM/security section in SKILL.md for complete transparency.	`check_env.py:196`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md metadata + Bash tool usage + config writes to ~/.tencent-cloudq/
网络访问	`READ`	`READ`	✓ 一致	Only connects to *.tencentcloudapi.com, cloud.tencent.com, clawhub.ai
命令执行	`WRITE`	`WRITE`	✓ 一致	Bash tool + subprocess calls within scripts
环境变量	`READ`	`READ`	✓ 一致	Only reads TENCENTCLOUD_* variables, never exfiltrates
技能调用	`NONE`	`NONE`	—	N/A
剪贴板	`NONE`	`NONE`	—	N/A
浏览器	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A

18 项发现

🔗

中危外部 URL 外部 URL

https://*.tencentcloudapi.com

SKILL.md:8

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com

SKILL.md:8

🔗

中危外部 URL 外部 URL

https://clawhub.ai

SKILL.md:8

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com/developer/article/2645159）

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/cam/capi

SKILL.md:67

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/cam/role

SKILL.md:241

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/advisor?hideTopNav=true

SKILL.md:385

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/

SKILL.md:492

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com/login/roleAccessCallback?algorithm=sha256&secretId=...&token=...&signature=...&s_url=...

SKILL.md:516

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/advisor?hideTopNav=true&archId=arch-gvqocc25

SKILL.md:517

🔗

中危外部 URL 外部 URL

https://clawhub.ai/api/v1/skills/

check_env.py:237

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/advisor

check_env.py:614

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/advisor?archId=arch-gvqocc25

scripts/login_url.py:10

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com/login/roleAccessCallback?

scripts/login_url.py:301

🔗

中危外部 URL 外部 URL

https://console.cloud.tencent.com/cam/role/detail?roleName=

scripts/setup_role.py:364

🔗

中危外部 URL 外部 URL

https://cloud.tencent.com/document/product/213/30654

scripts/tcloud_api.py:4

🔗

中危外部 URL 外部 URL

https://console\.cloud\.tencent\.com[^\s\

scripts/tcloud_sse_api.py:325

🔗

中危外部 URL 外部 URL

https://console\.cloud\.tencent\.com/advisor/cloudq(\?|/|$

scripts/tcloud_sse_api.py:331

目录结构

11 文件 · 131.7 KB · 3743 行

Python 7f · 2986L Markdown 3f · 751L JSON 1f · 6L

├─ ▾ 📁 references

│ └─ ▾ 📁 api

│ ├─ 📝 CloudQChatCompletions.md Markdown 56L · 1.9 KB

│ └─ 📝 CreateAdvisorAuthorization.md Markdown 64L · 1.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 cleanup.py Python 391L · 12.4 KB

│ ├─ 🐍 create_role.py Python 259L · 8.4 KB

│ ├─ 🐍 login_url.py Python 388L · 12.8 KB

│ ├─ 🐍 setup_role.py Python 496L · 16.1 KB

│ ├─ 🐍 tcloud_api.py Python 283L · 8.8 KB

│ └─ 🐍 tcloud_sse_api.py Python 521L · 16.4 KB

├─ 📋 _meta.json JSON 6L · 126 B

├─ 🐍 check_env.py Python 648L · 23.3 KB

└─ 📝 SKILL.md Markdown 631L · 29.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`certifi`	`not specified`	pip (optional)	否	Used for SSL certificate verification - legitimate security dependency

安全亮点

✓ All network requests limited to official Tencent Cloud domains (*.tencentcloudapi.com, cloud.tencent.com)

✓ Credentials only read from environment variables, never exfiltrated

✓ IAM write operations (CreateRole, DeleteRole, AttachRolePolicy) require explicit user consent

✓ Configuration files use proper permissions (700 for directories, 600 for files)

✓ STS temporary credentials only stored in memory, not persisted

✓ Complete documentation with consent workflows for sensitive operations

✓ Cleanup script provided for removing all local and cloud artifacts

✓ No base64-encoded payloads, eval(), or dynamic code execution

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No curl|bash or wget|sh remote script execution

✓ Cross-account data access is explicitly blocked