Aliyun AI Guardrail
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real Aliyun guardrail installer, but it needs review because it installs an always-on hook that can inspect, send, and rewrite agent chat requests using your Alibaba Cloud keys.
Install this only if you want an always-on guardrail that can inspect and modify agent messages and send prompt text to Alibaba Cloud. Use a tightly scoped Alibaba Cloud key, review the npm dependency, protect the OpenClaw config file, and make sure you know how to disable or uninstall the hook.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After installation, the agent may automatically inspect and change chat-style outbound requests across sessions, not just a narrowly configured model call.
The hook monkey-patches global fetch and rewrites outgoing JSON requests with a messages array. The code does not show an allowlist limiting this to specific LLM provider endpoints.
const originalFetch = globalThis.fetch; ... if (Array.isArray(parsed?.messages) && parsed.messages.length > 0) { ... replaceUserContent(...); ... globalThis.fetch = patchedFetch;Limit interception to known LLM endpoints or OpenClaw hook APIs, add clear enable/disable and uninstall instructions, and make the broad interception behavior explicit before installation.
Private prompt text may leave the local environment and be processed by Alibaba Cloud whenever the hook sees a matching request.
The hook sends user message content to Alibaba Cloud for guardrail analysis. Because interception is based on any messages-shaped fetch body, the exact data boundary is broader than a single declared LLM endpoint.
config.endpoint = `green-cip.cn-beijing.aliyuncs.com`; ... body['ServiceParameters'] = JSON.stringify({ content: content.slice(0, 2000) });Install only if this cloud processing is acceptable, document the destination and data handling clearly, and consider adding opt-out, redaction, endpoint allowlisting, or configurable region controls.
If the config file or chat transcript is exposed, the Alibaba Cloud key could be abused according to its account permissions.
The skill requires Alibaba Cloud credentials and stores them in OpenClaw configuration. This is expected for the Aliyun API integration, but these credentials are sensitive.
Ask the user for their Alibaba Cloud AccessKey ID and AccessKey Secret... "ALIBABA_CLOUD_ACCESS_KEY_SECRET": "<user-provided SK>"
Use a least-privilege RAM AccessKey limited to the guardrail service, protect openclaw.json permissions, and rotate the key if it was shared in an unsafe place.
Installation may fetch dependency code that was not included in the reviewed files.
The package depends on an external npm package using a version range. That is normal for this cloud integration, but the resolved code can change without a lockfile in the provided artifacts.
"dependencies": { "@alicloud/openapi-client": "^0.4.12" }Prefer pinned dependencies and a lockfile, or review the resolved npm package before installing the hook.
The guardrail remains active after restart and can continue intercepting requests until the hook is disabled or removed.
The hook is configured to load automatically on agent bootstrap. This is consistent with a guardrail, but it means the behavior persists across sessions.
metadata: { "openclaw": { "events": ["agent:bootstrap"],"always": true} }Provide and review clear disable/uninstall steps before relying on the hook in sensitive workflows.