Alicloud Database RDS Custom

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a read-only AliCloud RDS Custom query helper, but it relies on your AliCloud CLI credentials and can display sensitive cloud access details.

Before installing, confirm you trust the AliCloud CLI installer and configure the CLI with a least-privileged read-only AliCloud account. Treat outputs such as instance IDs, private IPs, VPC IDs, KubeConfig, and VNC URLs as sensitive.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

Anyone using this skill with a powerful AliCloud CLI profile could expose or query cloud resources allowed by that profile.

Why it was flagged

The skill depends on AliCloud account credentials to call RDS APIs. This is expected for the stated purpose, but it creates an important permission boundary.

Skill content

aliyun configure ... 需要输入：- AccessKey ID - AccessKey Secret

Recommendation

Use a least-privileged AliCloud RAM user or policy limited to the specific read-only RDS/RC Describe actions needed.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If requested or invoked, outputs may include access-enabling configuration or login URLs that should not be shared in chat logs or tickets.

Why it was flagged

The skill advertises queries for KubeConfig and VNC login URLs, which are more sensitive than ordinary instance inventory even though they are disclosed and purpose-related.

Skill content

`DescribeRCClusterConfig` | 查询 ACK 集群 KubeConfig ... `DescribeRCInstanceVncUrl` | 查询 VNC 登录地址

Recommendation

Retrieve KubeConfig or VNC URLs only when explicitly needed, redact sensitive output, and avoid sharing transcripts containing those values.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Running a downloaded installer executes code on the local machine, so a compromised or mistyped source could affect the environment.

Why it was flagged

The setup instructions use a user-directed remote installer command. This is common for CLI setup, but users should verify the source before running it.

Skill content

/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"

Recommendation

Install the AliCloud CLI from official documentation, verify the URL, and avoid running remote installer commands you do not trust.