ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Content Aicontent

v1.0.4

Manage Alibaba Cloud AIContent (AiContent) via OpenAPI/SDK. Use whenever the user needs AI content generation or content workflow operations in Alibaba Cloud...

0· 1.2k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly expects Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID or ~/.alibabacloud/credentials) yet the registry metadata lists no required environment variables or primary credential. A skill that manages cloud resources should declare required credentials in metadata; the omission is an incoherence between declared requirements and actual runtime needs.
Instruction Scope
Runtime instructions are narrowly scoped to API discovery and calling Alibaba Cloud OpenAPI/SDKs, and the included script only fetches official api.aliyun.com metadata and writes it to output/. However the SKILL.md instructs saving 'key parameters (region/resource id/time range) in evidence files' which can cause sensitive identifiers or parameters to be stored on disk; it also tells the agent to pick a 'reasonable region' if env var is unset, granting the agent discretion that could lead to unintended actions. Overall the instruction set is consistent with the stated purpose but contains a few operational choices (writing evidence files, choosing a region) that deserve user attention.
Install Mechanism
No install spec; skill is instruction-only with one small helper script. The included Python script fetches JSON from an official aliyun api domain and writes local files. No downloads from untrusted hosts, no extract/execute installs detected.
!
Credentials
The SKILL.md requires long-lived cloud credentials and suggests using a shared credentials file, but the skill metadata declares no environment variables or primary credential. This is disproportionate because users won't see the declared requirements when installing the skill; they may inadvertently run it without knowing credentials are needed. The credential scope requirement (access keys that can call AiContent APIs) is appropriate for the functionality, but the lack of declaration is a transparency/privilege problem.
Persistence & Privilege
always:false and no modifications to other skills or global agent config. The skill does write artifacts under its own output/ directory (documented). No elevated persistence or cross-skill config changes were found.
What to consider before installing
This skill appears to implement Alibaba Cloud AiContent API discovery and is not obviously malicious, but there are transparency issues you should address before use: 1) The SKILL.md requires ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET (and optionally ALICLOUD_REGION_ID or ~/.alibabacloud/credentials) but those credentials are not declared in the registry metadata — ask the publisher to update the metadata so you know what secrets the skill needs. 2) Only provide least-privilege IAM keys scoped to the AiContent operations you intend to allow; avoid using high-privilege or account-wide keys. 3) Review the included script (scripts/list_openapi_meta_apis.py) yourself — it currently only fetches api.aliyun.com metadata and writes to output/, which is expected. 4) Be careful about saved 'evidence' files: they may include region/resource IDs or parameters you consider sensitive — consider running the skill in an isolated environment or audit output/ before sharing. 5) If you require stronger guarantees, request the publisher to declare required env vars in metadata and to provide a minimal permission policy (IAM) for the keys the skill needs. If you are uncomfortable providing credentials, do not run mutating operations and restrict the agent to read-only discovery calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffkke7avrkdakae7gwpfveh82qm4k
1.2kdownloads
0stars
5versions
Updated 22h ago
v1.0.4
MIT-0
@cinience
latest
Download

Category: service

AIContent

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for AIContent.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: AiContent
  • Default API version: 20240611
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-ai-content-aicontent/

Validation

mkdir -p output/alicloud-ai-content-aicontent
for f in skills/ai/content/alicloud-ai-content-aicontent/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-ai-content-aicontent/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-content-aicontent/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-content-aicontent/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...