cloudq
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Multiple scripts within the skill, including
check_env.py,setup_role.py,create_role.py, andhtml_to_png.py, utilizesubprocess.runandos.systemto execute shell commands. These are used for system environment validation, cloud IAM resource management, and converting HTML reports to images. - [EXTERNAL_DOWNLOADS]: The
check_env.pyscript performs a version check by fetching JSON data fromhttps://clawhub.ai/api/v1/skills/. Although the fetched data is currently used for version comparison and displaying changelogs, this creates a runtime dependency on an external service. - [IAM_MANAGEMENT]: The skill performs high-privilege Identity and Access Management (IAM) operations on Tencent Cloud, such as
cam:CreateRoleandcam:AttachRolePolicy. While the documentation states these actions require explicit user consent, they allow the skill to modify security configurations. - [DYNAMIC_EXECUTION]: The report generation logic in
generate_report_default.pyand the sub-skill instructions implement a priority system that will execute a user-createdgenerate_report_custom.pyscript via sub-process if it is found in the local directory. - [SCRIPT_GENERATION]: The
scripts/cleanup.pyscript generates shell (.sh) or PowerShell (.ps1) scripts in the system's temporary directory and provides instructions for the user to execute them to clear environment variables.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata