← 返回 Skills 市场
gardenchan

Tencent Cloud CVM

作者 garden · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
2214
总下载
3
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install tencentcloud-cvm-skill
功能描述
腾讯云 CVM 云服务器运维工具集
安全使用建议
This package is a full CLI/bash toolkit for Tencent Cloud CVM and will require your Tencent API keys and instance passwords to work — but the registry metadata did not declare those requirements. Before installing or running it: 1) Verify the source and trustworthiness of this bundle (no homepage provided). 2) Inspect the scripts locally (they are included) and confirm you are comfortable with plaintext password storage at ~/.tencent_cvm_passwords and the fact that scripts print passwords to stdout. 3) Prefer SSH key-based access over sshpass/passwords; if you must use passwords, restrict the password file (chmod 600) and consider storing secrets in a dedicated secret manager. 4) Be aware scripts can perform service management (systemctl) and file transfers — run them manually and avoid granting broad automation privileges. 5) If you expect the skill to be used by an agent, ensure the agent is not allowed to auto-run destructive operations; the metadata omission of required env vars should be corrected by the author before trusting automated workflows.
功能分析
Type: OpenClaw Skill Name: tencentcloud-cvm-skill Version: 1.0.2 The skill is classified as suspicious due to the use of `sshpass` for password-based SSH authentication and the disabling of SSH host key checking (`StrictHostKeyChecking=no`, `UserKnownHostsFile=/dev/null`) in `scripts/common.sh` and various `scripts/ops/*.sh` files. While these are risky, they are explicitly documented as part of an O&M toolset. The skill also stores instance passwords locally in `~/.tencent_cvm_passwords` (with `chmod 600`), which is sensitive. However, the `SKILL.md` explicitly states that 'write operations' require 'manual confirmation', and `scripts/ops/remote-exec.sh` implements a robust whitelist/blacklist to prevent arbitrary command execution, command chaining, and remote payload execution, indicating an intent to control and limit potentially harmful actions rather than enable them maliciously. There is no evidence of intentional data exfiltration to external endpoints, persistence mechanisms, or prompt injection against the agent.
能力评估
Purpose & Capability
The SKILL.md and many scripts clearly require Tencent Cloud API credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY) and SSH passwords, but the registry metadata declares no required environment variables or primary credential. That mismatch is unexpected and incoherent: a CVM tool should declare it needs cloud credentials.
Instruction Scope
SKILL.md instructs the user to export Tencent Cloud credentials and to install tccli/jq/sshpass. The included scripts then use those credentials and also persist instance passwords to a local file ($HOME/.tencent_cvm_passwords). Scripts print and store plaintext passwords, run remote commands that can read sensitive files (e.g., /etc/passwd, env, logs), and support service management (systemctl start/stop/etc.). Although SKILL.md claims write operations require manual confirmation, the scripts provide direct mechanisms for potentially destructive actions (service-manage.sh) and store secrets on disk and stdout — this broad data handling is beyond a simple query-only tool and should be considered sensitive.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle includes 29+ scripts and assets that will be executed locally. SKILL.md tells the user how to install dependencies (pip, apt, brew) but the package does not automatically install anything. Absence of an install step is not malicious by itself, but the presence of many executable scripts means installing/running them will write to disk and persist secrets.
Credentials
The code expects and requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (check_credentials in scripts/common.sh, and SKILL.md shows them as required), yet the skill metadata lists no required env vars. The scripts also create and read a local password file (CVM_PASSWORD_FILE defaulting to ~/.tencent_cvm_passwords) and sometimes print passwords to the console. Requesting cloud API keys and storing instance passwords is functionally necessary for a CVM ops tool, but the omission from metadata and the insecure handling (plaintext storage and stdout exposure) are disproportionate and risky if you don't control where/how the skill runs.
Persistence & Privilege
The skill persists instance passwords to a file in the user's home and creates/updates that file (init_password_file, save_instance_password, update_instance_host). always:false and no automatic autonomous invocation are good, but the skill will leave sensitive data on disk and print it to logs — review file permissions and consider moving to a secure secrets store. The skill does not modify other skills or system-wide agent settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install tencentcloud-cvm-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /tencentcloud-cvm-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
No changes detected in this version. Version number and content remain the same as the previous release.
v1.0.1
初始开源版本,新增基础安全限制。 - 新增 LICENSE 文件 - 明确所有运维操作均仅限执行 scripts/ 目录下的预定义脚本,禁止动态生成或任意命令执行 - remote-exec.sh 仅允许白名单安全命令 - 所有写操作需人工确认,增强安全性 - 新增“安全说明”文档章节,补充操作审计、凭证以及使用场景要求
v1.0.0
Major update with new features and improved workflows: - Added scene-based instance recommendations (e.g., blog, web, API, dev scenarios). - Expanded lifecycle management scripts: create, start, stop, reboot, terminate. - Introduced resource query scripts for instances, images, VPC, subnets, security groups, and more. - Enhanced ops scripts for SSH, system info, disk, process, services, logs, security, file transfer, and network checks. - New password management and automatic storage per instance. - Improved getting started guide, configuration docs, and workflow examples.
元数据
Slug tencentcloud-cvm-skill
版本 1.0.2
许可证
累计安装 1
当前安装数 0
历史版本数 3
常见问题

Tencent Cloud CVM 是什么?

腾讯云 CVM 云服务器运维工具集. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2214 次。

如何安装 Tencent Cloud CVM?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tencentcloud-cvm-skill」即可一键安装,无需额外配置。

Tencent Cloud CVM 是免费的吗?

是的,Tencent Cloud CVM 完全免费(开源免费),可自由下载、安装和使用。

Tencent Cloud CVM 支持哪些平台?

Tencent Cloud CVM 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Tencent Cloud CVM?

由 garden(@gardenchan)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论