AndonQ

腾讯云 AndonQ 工单与智能客服助手 — 不切窗口、不排队，即刻获得腾讯云全产品线专业解答。支持工单查询（列表/详情/流水）、集团工单与需求单管理，以及腾讯云全产品线智能问答。当用户查询工单、查看工单详情、咨询腾讯云产品问题（如 CVM、轻量应用服务器、COS 等）、查询集团工单/需求单，或要求找人工客服时使用。

This skill appears to be a real Tencent Cloud Andon ticket + SmartQA client, but there are a few red flags you should consider before installing or using it: - Credentials disclosure: The skill needs TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY to query tickets. The SKILL.md tells you to write them permanently into your shell profile (~/.bashrc / ~/.zshrc or Windows user env). Persisting AK/SK in startup files increases exposure — prefer using ephemeral environment variables, a dedicated least-privilege key, or a short-lived credential mechanism if available. Rotate the keys after initial use. - Metadata mismatch: The registry metadata lists no required env vars while the skill and docs require AK/SK; this mismatch can be accidental but it hides important security context from users. Treat the skill as requiring sensitive credentials until proven otherwise. - Version check subprocess: The environment checker runs 'clawhub inspect <slug>' via subprocess. That call will fail harmlessly if clawhub is not installed, but it means the script assumes an external CLI may exist; review what that CLI would do in your environment before installing it. - Code review & network behavior: The Python code included is readable and shows HTTP(S) requests to Tencent endpoints (tandon.tencentcloudapi.com, andon.cloud.tencent.com, cloud.tencent.com). There is no obvious credential exfiltration in these files, but you should run the code locally or review it fully before supplying credentials. Practical steps: - If you want to proceed: create a dedicated least-privilege Tencent Cloud API key (scope-limited if possible), do not store it permanently in shell startup files — set env vars only for the session or use a secrets manager, and rotate the key afterwards. - Run check_env.py locally (it is advertised read-only) to validate behavior before invoking ticket APIs. - Inspect/grep the code locally for any unexpected outbound hosts beyond the documented Tencent hosts. - If you cannot audit the code, avoid entering long-lived credentials into persistent configs; consider running this skill in an isolated environment or container. Confidence: medium — the functionality and network targets match the advertised purpose, but the undeclared credential requirement and the instruction to persist secrets into shell startup files are disproportionate and merit caution.

Type: OpenClaw Skill Name: tencent-andon Version: 1.0.0 The AndonQ skill bundle is a legitimate tool for managing Tencent Cloud tickets and interacting with their SmartQA service. It implements standard Tencent Cloud API signing (TC3-HMAC-SHA256) using only Python standard libraries and communicates exclusively with official Tencent domains (tencentcloudapi.com and cloud.tencent.com). While SKILL.md encourages users to persist sensitive API credentials in shell configuration files (~/.zshrc), which is a suboptimal security practice, this is a common pattern for CLI tools and does not indicate malicious intent. The code in check_env.py and the scripts directory is well-structured, lacks obfuscation, and performs only the actions described in the documentation.