Skills
skills/tencentcloudbase/skills/setup-cloudbase-openclaw/Gen Agent Trust Hub

setup-cloudbase-openclaw

Warn

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs users to store sensitive cloud credentials in plain-text configuration files. \n
  • SKILL.md and README.md provide a configuration template for mcporter.json containing TENCENTCLOUD_SECRETID and TENCENTCLOUD_SECRETKEY fields. \n
  • Users are guided to replace placeholders with live API keys retrieved from the Tencent Cloud console to enable MCP functionality.\n- [COMMAND_EXECUTION]: Setup scripts perform broad file system operations to detect and modify installation directories. \n
  • scripts/setup.mjs and scripts/detect-setup.sh check for existence of and write to paths such as ~/.openclaw/, ~/.clawdbot/, and ~/.moltbot/ to locate and update installation configurations. \n
  • The copy-template command uses recursive copy operations to move application code into the user's workspace.\n- [REMOTE_CODE_EXECUTION]: The skill installs an executable plugin that runs within the agent's gateway process. \n
  • The install-plugin command in scripts/setup.mjs copies plugins/skill-enhancer/index.ts to the agent's extension directory. \n
  • This plugin hooks into the before_agent_start event, allowing it to execute code and modify prompt context dynamically during agent operation.\n- [PROMPT_INJECTION]: The skill steers agent behavior through global instruction sets and context manipulation. \n
  • SKILL.md updates the workspace AGENTS.md file with strict behavioral rules such as 'The agent MUST read skills first'. \n
  • The installed skill-enhancer plugin prepends a mandatory instruction block to the model's context for every interaction, overriding default response patterns and forcing the agent to justify its actions.\n- [EXTERNAL_DOWNLOADS]: The skill leverages the npx command to fetch and execute vendor-managed code and dependencies. \n
  • Documentation recommends running npx @cloudbase/setup-openclaw for detection and setup. \n
  • The MCP configuration pulls the cloudbase-mcp implementation from a remote registry at runtime using npx, which is documented as a vendor-controlled resource.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 10, 2026, 03:07 AM