ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Cloud Call Center

v1.0.3

Manage Alibaba Cloud Cloud Call Center (CCC) via OpenAPI/SDK. Use whenever the user is working on CCC operations such as instance/resource management, config...

0· 1.1k·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to manage Alibaba Cloud CCC and its SKILL.md explicitly requires ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET (or ~/.alibabacloud/credentials) and a region; however the registry metadata lists no required environment variables, no primary credential, and no config paths. That inconsistency is disproportionate to the declared metadata and may mislead users about what secrets the skill needs.
Instruction Scope
Runtime instructions are generally within the stated purpose (discover API metadata, call APIs, verify results). They explicitly prioritize env vars and a shared credentials file and instruct writing API responses and evidence under output/alicloud-ai-cloud-call-center/. Asking to save request/response evidence is reasonable for reproducibility but increases risk of persisting sensitive info (resource identifiers, potentially token-like data) to disk. The SKILL.md does not instruct contacting any endpoints outside Alibaba's official meta API (the included script fetches api.aliyun.com).
Install Mechanism
No install spec; the skill is instruction-only with a small helper script that performs only an HTTPS GET to an official Alibaba meta endpoint and writes JSON/MD to the local output directory. No third-party downloads or extracted archives are present.
!
Credentials
The SKILL.md requires sensitive credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) and optionally reading ~/.alibabacloud/credentials, but these are not declared in the skill's registry 'requires' metadata. That mismatch could prevent appropriate prompts, auditing, or least-privilege enforcement and may cause accidental credential exposure when outputs are written to disk.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not request forced always-on presence and does not modify other skills or global agent config. It writes artifacts only under its declared output directory.
What to consider before installing
This skill appears to be functionally aligned with managing Alibaba Cloud CCC, but it has a practical mismatch: the documentation requires your Alibaba access key and/or shared credentials file while the registry metadata does not declare those requirements. Before installing or running it: 1) Verify the skill's source and trust the publisher (no homepage provided). 2) Only provide least-privilege Alibaba credentials and prefer a throwaway or scoped key for testing. 3) Confirm the agent will be prompted for ALICLOUD_* env vars or that you supply them in a controlled environment; do NOT paste long-lived credentials into chat. 4) Expect the skill to write API responses and evidence to output/alicloud-ai-cloud-call-center/ — review those files for sensitive data and remove them when done. 5) If you need stronger assurance, ask the publisher to update registry metadata to declare required env vars and config paths, and to document exactly what will be written to disk.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vc584y6pzd9qdf0c5hyegh82qqa5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments