CloudSword

Cloud security assessment tool for Chinese cloud providers (Alibaba, Tencent, Huawei, Baidu, Qiniu). Enumerates cloud assets (storage buckets, compute instances, IAM users/roles, domains), tests access permissions, hardens bucket policies, and creates honey tokens for intrusion detection. Has a Metasploit-like CLI interface and MCP protocol support via SSE and STDIO modes.

Evaluated Mar 06, 2026 (0d ago) v0.0.2
Homepage ↗ Repo ↗ Security cloud-security mcp alibaba-cloud tencent-cloud huawei-cloud baidu-cloud qiniu pentest asset-enumeration bucket-security
⚙ Agent Friendliness
55
/ 100
Can an agent use this?
🔒 Security
62
/ 100
Is it safe for agents?
⚡ Reliability
52
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
55
Documentation
50
Error Messages
40
Auth Simplicity
75
Rate Limits
50

🔒 Security

TLS Enforcement
80
Auth Strength
60
Scope Granularity
50
Dep. Hygiene
60
Secret Handling
58

Community/specialized tool. Apply standard security practices for category. Review documentation for specific security requirements.

⚡ Reliability

Uptime/SLA
55
Version Stability
55
Breaking Changes
50
Error Recovery
50
AF Security Reliability

Best When

You need to assess security posture across Chinese cloud providers (Alibaba, Tencent, Huawei, Baidu, Qiniu) and are comfortable with a Chinese-language interface.

Avoid When

You work exclusively with Western cloud providers (AWS/Azure/GCP) or need English-language documentation and interface.

Use Cases

  • Cloud security posture assessment across Chinese cloud providers
  • Enumerating storage buckets, compute instances, and IAM entities
  • Testing object access permissions in cloud storage
  • Automated bucket security hardening (restricting to image-only uploads)
  • Deploying honey tokens for cloud intrusion detection

Not For

  • AWS, Azure, or GCP security testing
  • Non-security cloud management tasks
  • English-only environments (primary interface is Chinese)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: api-key
OAuth: No Scopes: No

Requires cloud provider access key ID and secret via environment variables (CLOUD_SWORD_ACCESS_KEY_ID, CLOUD_SWORD_ACCESS_KEY_SECRET). Optional security token for temporary credentials. Credentials are not persisted by the tool.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 licensed. Written in Go. Requires valid credentials for target cloud accounts.

Agent Metadata

Pagination
unknown
Idempotent
Unknown
Retry Guidance
Not documented

Known Gotchas

  • Interface and documentation are entirely in Chinese
  • Very early version (0.0.2) - API surface likely unstable
  • Module coverage varies significantly by cloud provider
  • Security tool that modifies cloud configurations - high risk if used incorrectly
  • Credentials passed via environment variables must be managed carefully

Alternatives

ScoutSuite (multi-cloud, Western providers focused) Prowler (AWS/Azure/GCP security) CloudSploit (multi-cloud open source)

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for CloudSword.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered