tsa-risk

腾讯云智能顾问（Tencent Cloud Smart Advisor）架构风险巡检工具。用于获取云架构详情、架构列表、目录查询、风险评估项查询及架构评估结果。

This skill appears to do what it says (call Tencent Cloud Advisor APIs and optionally create a CAM role) but has several issues you should consider before installing or running it with real credentials: - Review the included scripts before use. The package contains multiple Python scripts (check_env.py, create_role.py, login_url.py, tcloud_api.py, etc.) that will run locally. - Do NOT paste long-lived SecretId/SecretKey into shell rc files unless you understand the exposure. Consider using temporary STS credentials when possible and avoid storing AK/SK in ~/.bashrc/.zshrc. - The version check uses an external CLI ('clawhub') that is not declared as a required binary; if you rely on that behavior, ensure you trust and understand clawhub. Missing binary simply makes the version check fail, but the dependency is undeclared. - The login URL generator will call STS AssumeRole and embed tokens/temporary keys in a URL. URLs can be logged/shared; treat generated URLs as sensitive and follow the SKILL.md guidance to only show a Markdown link and avoid pasting raw URLs in public channels. - The login_url.py fallback disables SSL verification if certifi is absent, which can permit man-in-the-middle attacks. If you use this skill, install 'certifi' in the Python environment or review/modify the code to avoid disabling TLS verification. - Role creation and policy attachment are interactive and require your consent; double-check the exact policies being attached (QcloudAdvisorFullAccess, QcloudTAGFullAccess) and whether those scopes are acceptable for your account. If you cannot audit the code or do not trust the source, avoid running the role-creation or assume-role scripts with production credentials. Consider creating a dedicated low-privilege test account to evaluate the skill first.

Type: OpenClaw Skill Name: tsa Version: 1.5.0 The skill bundle provides tools for Tencent Cloud Smart Advisor (TSA) but includes high-risk capabilities that handle sensitive credentials and IAM permissions. Key indicators include scripts that perform IAM write operations (create_role.py: cam:CreateRole, cam:AttachRolePolicy), generate console login URLs using STS temporary tokens (login_url.py), and instructions in SKILL.md to permanently write API secrets (AK/SK) into shell configuration files (~/.bashrc). While these actions are aligned with the stated purpose of providing console access and managing cloud resources, the combination of IAM manipulation, secret persistence, and session token generation represents a significant attack surface if the agent is misdirected.