Skills
skills/tencentcloudbase/skills/setup-cloudbase-openclaw/Snyk

setup-cloudbase-openclaw

Fail

Audited by Snyk on Mar 10, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt instructs users/agents to replace placeholders with SecretId, SecretKey, and EnvId in a mcporter.json config (i.e., embed API credentials verbatim into generated config), which encourages the agent to accept and output secret values directly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running npx to fetch and execute remote npm packages at runtime (e.g., "npx @cloudbase/setup-openclaw", "npx @cloudbase/cloudbase-mcp", and "npx skills add tencentcloudbase/skills") and references the remote repo https://github.com/TencentCloudBase/cloudbase-mcp, which means external code is fetched and executed during runtime and can directly control agent behavior (e.g., installing a plugin that injects prompts), so this is a high-confidence runtime risk.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:07 AM