by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (Tencent Cloud diagnostics) is plausible, but the package is inconsistent about required tools/credentials and includes code that can run interactive auth flows and arbitrary remote commands (TAT) without proper declarations or enforced safeguards — exercise caution before installing.
评估建议
Key things to consider before installing:
- The package did not declare required binaries or credentials, but the scripts require the tccli CLI and valid Tencent Cloud credentials (used to call monitor, tat, and other APIs). Make sure tccli is installed and be aware this skill will prompt you to authenticate.
- The auth flow starts a background daemon that writes/reads files under /tmp and asks the user to paste the interactive auth code; that code will be written verbatim to /tmp and submitted...详细分析 ▾
⚠ 用途与能力
The SKILL.md and scripts clearly depend on the tccli CLI and on the ability to call Tencent Cloud TAT APIs, but the skill metadata declares no required binaries or credentials. A diagnostic skill legitimately needs tccli and valid Tencent Cloud credentials; those should be declared. The omission is an incoherence between claimed requirements and actual capabilities.
⚠ 指令范围
Runtime instructions direct the agent to run prefetch.py / diagnose.py and to start a background tccli_auth_daemon that writes/reads files under /tmp and interacts with an interactive tccli auth flow. The SKILL.md explicitly instructs suppressing intermediate output and to ask the user to paste a base64-style auth code which will be written verbatim to /tmp and fed into the tccli process. The skill also permits performing OS-level diagnostics via TAT (remote command execution). Although the SKILL.md prescribes a whitelist of 'read-only' commands, this is enforced by instructions, not by the code: exec_tat accepts arbitrary commands and will submit whatever the caller passes to TAT.
✓ 安装机制
No install spec is present (instruction + scripts only), so nothing is downloaded or auto-installed by the registry package. That lowers supply-chain risk compared to remote downloads or package installs.
⚠ 凭证需求
The skill requests no declared credentials/env vars, yet it requires valid Tencent Cloud credentials (obtained via tccli auth) and relies on tccli being present on PATH. It also writes user-supplied auth tokens into /tmp files and runs a background auth daemon. The ability to run TAT remote commands implies the skill will use credentials with permissions to execute commands on instances — this level of access should be declared and minimized.
ℹ 持久化与权限
always:false (good). The skill suggests launching a background tccli_auth_daemon (nohup) for up to 10 minutes and writes logs to /tmp; it does not request permanent installation or modify other skills. However, because the agent can invoke the skill autonomously and the scripts can call TAT to run commands on instances, there's an elevated operational risk if invoked without strict human review.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/30
init
● 可疑
安装命令 点击复制
官方npx clawhub@latest install txcloud-diagnostics
镜像加速npx clawhub@latest install txcloud-diagnostics --registry https://cn.clawhub-mirror.com
技能文档
⚠️ 所有脚本在 skill 目录下执行:先 cd skills/txcloud-diagnostics/
诊断流程
Step 1: 预获取
- 从对话提取产品类型、实例 ID、地域、问题现象、问题时间段(地域和问题时间段缺失必须追问,不得猜测)
- 通过实例 ID 前缀识别产品(见下方 ID 前缀表),再查产品路由表 → 必须先 read 对应 profile 文件,从中获取 namespace、dimension-key、核心指标。禁止凭记忆填写 namespace/dimension-key,必须从 profile 文件中读取
- 跨产品场景(如"A 访问 B 超时/报错"):优先诊断被访问方 B,诊断完 B 后若未找到原因再诊断 A。一次只诊断一个产品
- 结合 profile 指标决策表 + 用户问题现象,预选 3~8 个诊断指标
- 执行:
python3 scripts/prefetch.py --instance-id --product \
--region --namespace --dimension-key
status: "ok"→ 进 Step 2status: "auth_failed"→ 执行凭证授权(见下方),成功后重试status: "error"→ 根据 message 提示用户
Step 2: 执行诊断
python3 scripts/diagnose.py \
--instance-id --region \
--namespace --dimension-key \
--metrics '<指标1,指标2,...>' \
--problem-start '' --problem-end ''
可选:--pad-before/--pad-after(默认15分钟),--extra-dims(CCN 等多维度产品必传)。
时间处理:用户说的时间默认为 北京时间(UTC+8),直接用 +08:00 后缀。例:用户说"19点左右" → --problem-start '2026-03-28T18:30:00+08:00' --problem-end '2026-03-28T19:30:00+08:00'。不要做 UTC 转换。
指标选择优先用 profile 决策表,通用匹配:慢→latency、错误→error/fail、流量→traffic/bandwidth、连接→conn。
输出规范:全流程禁止输出中间思考/排查过程。用户只看到以下内容:
- 需要授权时:只输出授权链接 + "请点击登录授权并回复验证码",不要解释为什么需要授权、不要暴露 tccli 报错信息
- 诊断进行中:不输出任何内容(静默执行),不要说"让我先..."、"正在读取..."、"prefetch 成功"等
- 诊断完成后:只输出最终报告,格式如下:
📋 诊断结论:<一句话结论>实例 指标1 指标2 ... 状态 xxx 数据 数据 ... ✅/❌
建议:
- <具体可执行动作>
- <具体可执行动作>
禁止:输出思考过程、暴露 tccli/脚本报错细节、重复展示同一数据、编造未查证的信息
诊断失败自纠
当 diagnose.py 返回失败(API错误或数据为空)时,不要直接报错放弃,按以下顺序自主尝试(总耗时不超过 10 分钟,超时如实告知用户当前进展和失败原因):
- namespace 不对 → 用 tccli 查实际可用的 namespace:
tccli monitor DescribeBaseMetrics --cli-unfold-argument --region --Namespace <当前namespace> --output json
QCE/CYNOSDB_MYSQL ↔ QCE/TDMYSQL)- 实例 ID 格式不对 → 用户给的可能是集群 ID 而非实例 ID,通过产品 API 查询实际实例:
tccli cynosdb DescribeClusterInstanceGrps --region --ClusterId <集群ID> --output json
InstanceSet 中取 InstanceId(如 cynosdbmysql-ins-xxx)- dimension-key 不对 → 从 DescribeBaseMetrics 返回的
MetricSet[0].Dimensions中确认实际维度名
- 指标名不对 → 从 DescribeBaseMetrics 返回的
MetricSet中确认实际可用的指标名(注意大小写)
- 数据为空但无报错 → 该时间段确实没有监控数据(实例空闲/新建/已停机),如实告知用户
凭证授权
当 prefetch.py 返回 auth_failed 时执行:
nohup python3 -u scripts/tccli_auth_daemon.py > /tmp/tccli_daemon.log 2>&1 &
sleep 5 && cat /tmp/tccli_daemon.log && cat /tmp/tccli_auth_link.txt
提取链接生成超链接发给用户一键点击登录。提示用户回传验证码(一段 eyJ... 开头的 base64 长字符串)
授权环节只对用户输出:授权链接 + "请点击登录并回复验证码"。不要输出 auth_failed 原因、tccli 配置状态、credential 为空等内部信息。
将用户回复的base64 长字符串内容完整写入 /tmp/tccli_auth_input_code.txt
echo '<用户回复的验证码>' > /tmp/tccli_auth_input_code.txt
sleep 5 && cat /tmp/tccli_daemon.log
日志出现 AUTH_SUCCESS 即成功,重新执行 Step 1。
产品路由表
| 产品关键字 | Profile |
|---|---|
| cvm、云服务器、lighthouse、轻量应用、cdh | scripts/product_profiles/compute.md |
| tke、容器、tcr | scripts/product_profiles/container.md |
| scf、云函数、tcb、云开发 | scripts/product_profiles/serverless.md |
| ckafka、kafka、tdmq、rabbitmq、cmq、rocketmq、pulsar | scripts/product_profiles/mq.md |
| apigateway、api网关、tse、tsf | scripts/product_profiles/microservice.md |
| cbs、cos、cfs、chdfs、goosefs、cls、日志、ci | scripts/product_profiles/storage.md |
| clb、负载均衡、nat、vpn、dc、专线、ccn、云联网 | scripts/product_profiles/network.md |
| cdb、mysql、cynosdb、tdsql、mariadb、dcdb、postgres、sqlserver、mongodb、redis、memcached、keewidb | scripts/product_profiles/database.md |
| es、elasticsearch、emr、oceanus、dlc、cdw | scripts/product_profiles/bigdata.md |
| cdn、ecdn、gaap、edgeone、ecm | scripts/product_profiles/cdn.md |
| live、直播、vod、waf、cfw、ddos | scripts/product_profiles/media_security.md |
实例 ID 前缀速查
| 前缀 | 产品 | product 参数 |
|---|---|---|
ins- | CVM | cvm |
lhins- | Lighthouse | lighthouse |
cdb- | CDB MySQL | cdb |
cynosdbmysql- | TDSQL-C MySQL | tdsql-c |
tdsql- / tdsqlshard- | TDSQL / DCDB | tdsql |
postgres- | PostgreSQL | postgres |
mssql- | SQL Server | sqlserver |
crs- | Redis | redis |
cmgo- | MongoDB | mongodb |
keewidb- | KeeWiDB | keewidb |
lb- | CLB | clb |
ckafka- | CKafka | ckafka |
es- | Elasticsearch | es |
emr- | EMR | emr |
其它实例id搜索参考 腾讯云官网
tccli 注意事项
- 参数格式:
tccli(注意--cli-unfold-argument --ParamName value --cli-unfold-argument) - 管道解析 JSON 不稳定:优先用
> /tmp/xxx.json保存文件再用 Python 读取,不要用| python3
约束
- 单次诊断总耗时不超过 10 分钟(含自纠重试),超时立即输出已有结论并告知用户
- 监控数据仅保留 15 天,时间格式 ISO 8601 + 时区
- 严禁编造数据。获取失败或为空如实告知,不确定标注"未确认"
- 禁止无限循环:同一操作(如 tccli 命令)最多重试 2 次,2 次仍失败则输出错误信息并停止
- tccli 命令失败时:不要反复猜测参数格式,改用 prefetch.py / diagnose.py 脚本完成诊断
- 过程中禁止自己创建新脚本、直接修改原脚本等操作
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制