Trust Assessment
tencentcloud-cvm-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 29 findings: 13 critical, 4 high, 12 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Sensitive environment variable access: $USER.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings29
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/gardenchan/tencentcloud-cvm-skill/SKILL.md:183 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/remote-exec.sh:79 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/remote-exec.sh:243 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/security-check.sh:80 | |
| CRITICAL | Persistence / self-modification instructions systemd service persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/remote-exec.sh:125 | |
| CRITICAL | Local Command Injection via 'eval' in Query Scripts Multiple query scripts (`describe-instances.sh`, `describe-security-groups.sh`, `describe-subnets.sh`, `describe-vpcs.sh`) construct `tccli` command arguments as a single string (`$ARGS`) and then execute them using `eval`. User-controlled input (e.g., `--instance-id`, `--name`, `--vpc-id`, `--sg-id`, `--subnet-id`) is directly interpolated into this `$ARGS` string. An attacker providing malicious input like `']'; rm -rf /; echo '['` for an instance ID could execute arbitrary commands on the local machine. Avoid using `eval` with user-controlled input. Instead, construct commands using arrays (e.g., `cmd_array=(tccli cvm DescribeInstances); cmd_array+=(--region "$REGION"); ...; "${cmd_array[@]}"`) to prevent shell injection. Ensure all user-controlled inputs are properly quoted or escaped when building command strings. | LLM | scripts/query/describe-instances.sh:60 | |
| CRITICAL | Local Command Injection via 'eval' in Query Scripts Multiple query scripts (`describe-instances.sh`, `describe-security-groups.sh`, `describe-subnets.sh`, `describe-vpcs.sh`) construct `tccli` command arguments as a single string (`$ARGS`) and then execute them using `eval`. User-controlled input (e.g., `--instance-id`, `--name`, `--vpc-id`, `--sg-id`, `--subnet-id`) is directly interpolated into this `$ARGS` string. An attacker providing malicious input like `']'; rm -rf /; echo '['` for an instance ID could execute arbitrary commands on the local machine. Avoid using `eval` with user-controlled input. Instead, construct commands using arrays (e.g., `cmd_array=(tccli vpc DescribeSecurityGroups); cmd_array+=(--region "$REGION"); ...; "${cmd_array[@]}"`) to prevent shell injection. Ensure all user-controlled inputs are properly quoted or escaped when building command strings. | LLM | scripts/query/describe-security-groups.sh:59 | |
| CRITICAL | Local Command Injection via 'eval' in Query Scripts Multiple query scripts (`describe-instances.sh`, `describe-security-groups.sh`, `describe-subnets.sh`, `describe-vpcs.sh`) construct `tccli` command arguments as a single string (`$ARGS`) and then execute them using `eval`. User-controlled input (e.g., `--instance-id`, `--name`, `--vpc-id`, `--sg-id`, `--subnet-id`) is directly interpolated into this `$ARGS` string. An attacker providing malicious input like `']'; rm -rf /; echo '['` for an instance ID could execute arbitrary commands on the local machine. Avoid using `eval` with user-controlled input. Instead, construct commands using arrays (e.g., `cmd_array=(tccli vpc DescribeSubnets); cmd_array+=(--region "$REGION"); ...; "${cmd_array[@]}"`) to prevent shell injection. Ensure all user-controlled inputs are properly quoted or escaped when building command strings. | LLM | scripts/query/describe-subnets.sh:64 | |
| CRITICAL | Local Command Injection via 'eval' in Query Scripts Multiple query scripts (`describe-instances.sh`, `describe-security-groups.sh`, `describe-subnets.sh`, `describe-vpcs.sh`) construct `tccli` command arguments as a single string (`$ARGS`) and then execute them using `eval`. User-controlled input (e.g., `--instance-id`, `--name`, `--vpc-id`, `--sg-id`, `--subnet-id`) is directly interpolated into this `$ARGS` string. An attacker providing malicious input like `']'; rm -rf /; echo '['` for an instance ID could execute arbitrary commands on the local machine. Avoid using `eval` with user-controlled input. Instead, construct commands using arrays (e.g., `cmd_array=(tccli vpc DescribeVpcs); cmd_array+=(--region "$REGION"); ...; "${cmd_array[@]}"`) to prevent shell injection. Ensure all user-controlled inputs are properly quoted or escaped when building command strings. | LLM | scripts/query/describe-vpcs.sh:50 | |
| CRITICAL | Remote Command Injection via Unsanitized User Input in SSH Commands The `scripts/ops/remote-exec.sh` script attempts to validate user-provided commands using a blacklist/whitelist approach (`validate_command` function). This method is notoriously difficult to secure against all bypasses. An attacker could craft a command (e.g., using newlines, comments, or obscure shell syntax not covered by the blacklist) to execute arbitrary commands on the remote server, as the `$CMD` is passed directly to `ssh` for remote execution. A robust solution for executing remote commands securely typically involves a server-side agent that executes pre-approved commands, or a much more sophisticated command parsing and sanitization logic that is extremely difficult to implement securely in shell scripts. Reconsider the design to avoid direct execution of user-provided commands. | LLM | scripts/ops/remote-exec.sh:209 | |
| CRITICAL | Remote Command Injection via Unsanitized User Input in SSH Commands In `scripts/ops/log-viewer.sh` and `scripts/ops/process-monitor.sh`, the user-controlled `$FILTER` variable is directly interpolated into the remote command string (`CMD="$CMD | grep --line-buffered -i '$FILTER'"`). This allows an attacker to inject arbitrary shell commands on the remote server by providing a malicious filter string (e.g., `'; rm -rf /; echo '`). Properly escape user-provided strings before embedding them into remote commands. For `grep`, use `grep -F` for fixed string matching instead of regex, or escape regex metacharacters in the filter string. | LLM | scripts/ops/log-viewer.sh:80 | |
| CRITICAL | Remote Command Injection via Unsanitized User Input in SSH Commands In `scripts/ops/log-viewer.sh` and `scripts/ops/process-monitor.sh`, the user-controlled `$FILTER` variable is directly interpolated into the remote command string (`CMD="$CMD | grep --line-buffered -i '$FILTER'"`). This allows an attacker to inject arbitrary shell commands on the remote server by providing a malicious filter string (e.g., `'; rm -rf /; echo '`). Properly escape user-provided strings before embedding them into remote commands. For `grep`, use `grep -F` for fixed string matching instead of regex, or escape regex metacharacters in the filter string. | LLM | scripts/ops/process-monitor.sh:80 | |
| CRITICAL | Remote Command Injection via Unsanitized User Input in SCP Paths In `scripts/ops/file-transfer.sh`, the user-controlled `$LOCAL_PATH` and `$REMOTE_PATH` variables are directly interpolated into `scp` commands. If these paths contain shell metacharacters, they could lead to command injection on either the local or remote host (e.g., `$REMOTE_PATH` could be `/tmp/foo; rm -rf /; echo bar`). Ensure that user-provided paths (`$LOCAL_PATH`, `$REMOTE_PATH`) are properly sanitized and quoted to prevent shell metacharacter interpretation. Consider using `rsync` with appropriate options or a more robust file transfer mechanism that handles path sanitization. | LLM | scripts/ops/file-transfer.sh:70 | |
| HIGH | Persistence mechanism: systemd service Detected systemd service pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/remote-exec.sh:125 | |
| HIGH | Local Command Injection via Unescaped JSON Arguments to tccli In `scripts/lifecycle/create-instance.sh` and `scripts/lifecycle/recommend-instance.sh`, JSON strings for `tccli` parameters (e.g., `--Placement`, `--SystemDisk`, `--Filters`) are constructed by directly embedding user-controlled variables (e.g., `$ZONE`, `$DISK_SIZE`, `$family`). If a user provides input containing unescaped double quotes or shell metacharacters, it could break out of the JSON string and inject arbitrary shell commands before `tccli` is executed. Use `jq` to construct JSON strings from variables, ensuring proper escaping. For example, `PLACEMENT=$(jq -n --arg zone "$ZONE" '{"Zone": $zone}')`. Alternatively, if `tccli` supports it, pass individual parameters instead of pre-formatted JSON strings. | LLM | scripts/lifecycle/create-instance.sh:90 | |
| HIGH | Local Command Injection via Unescaped JSON Arguments to tccli In `scripts/lifecycle/create-instance.sh` and `scripts/lifecycle/recommend-instance.sh`, JSON strings for `tccli` parameters (e.g., `--Placement`, `--SystemDisk`, `--Filters`) are constructed by directly embedding user-controlled variables (e.g., `$ZONE`, `$DISK_SIZE`, `$family`). If a user provides input containing unescaped double quotes or shell metacharacters, it could break out of the JSON string and inject arbitrary shell commands before `tccli` is executed. Use `jq` to construct JSON strings from variables, ensuring proper escaping. For example, `FILTERS_JSON=$(jq -n --arg zone "$zone" --arg family "$family" '[{"Name":"zone","Values":[$zone]},{"Name":"instance-family","Values":[$family]}]')`. Alternatively, if `tccli` supports it, pass individual parameters instead of pre-formatted JSON strings. | LLM | scripts/lifecycle/recommend-instance.sh:180 | |
| HIGH | Plaintext Storage of Instance Passwords The skill stores CVM instance passwords in plaintext within the `~/.tencent_cvm_passwords` file. While the file permissions are set to 600 (user-only read/write), any compromise of the local user account or system could expose all stored CVM instance passwords, leading to unauthorized access to cloud resources. Implement encryption for the password file (e.g., using a master password that the user provides at runtime, or integrating with a system-level key management service). Alternatively, consider relying on SSH keys for authentication or using temporary credentials where possible, rather than storing long-lived plaintext passwords. | LLM | SKILL.md:190 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/common.sh:27 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/disk-usage.sh:46 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/file-transfer.sh:64 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/log-viewer.sh:63 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/network-check.sh:46 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/process-monitor.sh:48 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/remote-exec.sh:276 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/security-check.sh:43 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/service-manage.sh:51 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/ssh-connect.sh:49 | |
| MEDIUM | Sensitive environment variable access: $USER Access to sensitive environment variable '$USER' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/gardenchan/tencentcloud-cvm-skill/scripts/ops/system-info.sh:43 | |
| MEDIUM | SSH Host Key Verification Disabled (Man-in-the-Middle Risk) All `scripts/ops` scripts that use `ssh` or `scp` disable host key checking (`-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`). This makes the connection vulnerable to Man-in-the-Middle (MITM) attacks, where a malicious actor could impersonate the remote server and intercept or alter data, including credentials. Enable host key checking. For automated environments, manage known hosts securely (e.g., pre-populate `known_hosts` with expected host keys or use a central host key management system) rather than disabling verification entirely. | LLM | scripts/ops/ssh-connect.sh:50 |
Scan History
Embed Code
[](https://skillshield.io/report/776a8b7918836b7a)
Powered by SkillShield