← Back to Skills Marketplace
2214
Downloads
3
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install tencentcloud-cvm-skill
Description
腾讯云 CVM 云服务器运维工具集
Usage Guidance
This package is a full CLI/bash toolkit for Tencent Cloud CVM and will require your Tencent API keys and instance passwords to work — but the registry metadata did not declare those requirements. Before installing or running it: 1) Verify the source and trustworthiness of this bundle (no homepage provided). 2) Inspect the scripts locally (they are included) and confirm you are comfortable with plaintext password storage at ~/.tencent_cvm_passwords and the fact that scripts print passwords to stdout. 3) Prefer SSH key-based access over sshpass/passwords; if you must use passwords, restrict the password file (chmod 600) and consider storing secrets in a dedicated secret manager. 4) Be aware scripts can perform service management (systemctl) and file transfers — run them manually and avoid granting broad automation privileges. 5) If you expect the skill to be used by an agent, ensure the agent is not allowed to auto-run destructive operations; the metadata omission of required env vars should be corrected by the author before trusting automated workflows.
Capability Analysis
Type: OpenClaw Skill
Name: tencentcloud-cvm-skill
Version: 1.0.2
The skill is classified as suspicious due to the use of `sshpass` for password-based SSH authentication and the disabling of SSH host key checking (`StrictHostKeyChecking=no`, `UserKnownHostsFile=/dev/null`) in `scripts/common.sh` and various `scripts/ops/*.sh` files. While these are risky, they are explicitly documented as part of an O&M toolset. The skill also stores instance passwords locally in `~/.tencent_cvm_passwords` (with `chmod 600`), which is sensitive. However, the `SKILL.md` explicitly states that 'write operations' require 'manual confirmation', and `scripts/ops/remote-exec.sh` implements a robust whitelist/blacklist to prevent arbitrary command execution, command chaining, and remote payload execution, indicating an intent to control and limit potentially harmful actions rather than enable them maliciously. There is no evidence of intentional data exfiltration to external endpoints, persistence mechanisms, or prompt injection against the agent.
Capability Assessment
Purpose & Capability
The SKILL.md and many scripts clearly require Tencent Cloud API credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY) and SSH passwords, but the registry metadata declares no required environment variables or primary credential. That mismatch is unexpected and incoherent: a CVM tool should declare it needs cloud credentials.
Instruction Scope
SKILL.md instructs the user to export Tencent Cloud credentials and to install tccli/jq/sshpass. The included scripts then use those credentials and also persist instance passwords to a local file ($HOME/.tencent_cvm_passwords). Scripts print and store plaintext passwords, run remote commands that can read sensitive files (e.g., /etc/passwd, env, logs), and support service management (systemctl start/stop/etc.). Although SKILL.md claims write operations require manual confirmation, the scripts provide direct mechanisms for potentially destructive actions (service-manage.sh) and store secrets on disk and stdout — this broad data handling is beyond a simple query-only tool and should be considered sensitive.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle includes 29+ scripts and assets that will be executed locally. SKILL.md tells the user how to install dependencies (pip, apt, brew) but the package does not automatically install anything. Absence of an install step is not malicious by itself, but the presence of many executable scripts means installing/running them will write to disk and persist secrets.
Credentials
The code expects and requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (check_credentials in scripts/common.sh, and SKILL.md shows them as required), yet the skill metadata lists no required env vars. The scripts also create and read a local password file (CVM_PASSWORD_FILE defaulting to ~/.tencent_cvm_passwords) and sometimes print passwords to the console. Requesting cloud API keys and storing instance passwords is functionally necessary for a CVM ops tool, but the omission from metadata and the insecure handling (plaintext storage and stdout exposure) are disproportionate and risky if you don't control where/how the skill runs.
Persistence & Privilege
The skill persists instance passwords to a file in the user's home and creates/updates that file (init_password_file, save_instance_password, update_instance_host). always:false and no automatic autonomous invocation are good, but the skill will leave sensitive data on disk and print it to logs — review file permissions and consider moving to a secure secrets store. The skill does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tencentcloud-cvm-skill - After installation, invoke the skill by name or use
/tencentcloud-cvm-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
No changes detected in this version. Version number and content remain the same as the previous release.
v1.0.1
初始开源版本,新增基础安全限制。
- 新增 LICENSE 文件
- 明确所有运维操作均仅限执行 scripts/ 目录下的预定义脚本,禁止动态生成或任意命令执行
- remote-exec.sh 仅允许白名单安全命令
- 所有写操作需人工确认,增强安全性
- 新增“安全说明”文档章节,补充操作审计、凭证以及使用场景要求
v1.0.0
Major update with new features and improved workflows:
- Added scene-based instance recommendations (e.g., blog, web, API, dev scenarios).
- Expanded lifecycle management scripts: create, start, stop, reboot, terminate.
- Introduced resource query scripts for instances, images, VPC, subnets, security groups, and more.
- Enhanced ops scripts for SSH, system info, disk, process, services, logs, security, file transfer, and network checks.
- New password management and automatic storage per instance.
- Improved getting started guide, configuration docs, and workflow examples.
Metadata
Frequently Asked Questions
What is Tencent Cloud CVM?
腾讯云 CVM 云服务器运维工具集. It is an AI Agent Skill for Claude Code / OpenClaw, with 2214 downloads so far.
How do I install Tencent Cloud CVM?
Run "/install tencentcloud-cvm-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tencent Cloud CVM free?
Yes, Tencent Cloud CVM is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tencent Cloud CVM support?
Tencent Cloud CVM is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tencent Cloud CVM?
It is built and maintained by garden (@gardenchan); the current version is v1.0.2.
More Skills