Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alicloud Ai Content Aimiaobi
v1.0.3Manage Alibaba Cloud Quan Miao (AiMiaoBi) via OpenAPI/SDK. Use whenever the user asks for Alibaba Cloud MiaoBi content operations, including listing resource...
⭐ 0· 1.4k·3 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly expects the agent to use Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID) or the shared config (~/.alibabacloud/credentials) to call SDK/OpenAPI. However, the registry metadata lists no required environment variables or primary credential. That inconsistency means the skill may need sensitive credentials even though the metadata doesn't declare them.
Instruction Scope
The instructions are generally scoped to discovering and calling Alibaba Cloud OpenAPI metadata and actual service APIs for AiMiaoBi. They instruct the agent to use SDKs/OpenAPI Explorer, prefer list/describe APIs for inventory, and to ask the user before mutating operations — which is appropriate. However, the agent is also instructed to include key parameters in evidence files and to write artifacts under output/, which will store resource identifiers and other context; this is expected but worth noting for sensitive data handling. The provided Python script only fetches public API metadata and does not access credentials.
Install Mechanism
There is no install spec; the skill is instruction-only with a small included Python script. The script makes an HTTPS GET to api.aliyun.com to fetch OpenAPI metadata and writes files under output/. No unusual downloads, archive extraction, or third-party package installs are present.
Credentials
The SKILL.md requires (and prioritizes) environment variables and a shared credentials file that contain highly sensitive secrets (Alibaba Cloud Access Key ID / Secret). The skill metadata does not declare these requirements. Requesting secret credentials is reasonable for a cloud-management skill, but the omission in the manifest is a mismatch that increases risk: users may not realize the skill will read or rely on secrets. Also, instructions to save evidence containing key parameters could inadvertently capture sensitive identifiers if not handled carefully.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or system-wide settings. disable-model-invocation is false (normal). The skill writes outputs only under its own output/ path per SKILL.md, which is appropriate.
What to consider before installing
This skill is for managing Alibaba Cloud AiMiaoBi and legitimately needs Alibaba Cloud credentials to perform SDK/API operations, but the skill's registry metadata does not declare those credentials — that's the main red flag. Before installing or running it: (1) Confirm with the publisher why required credentials are omitted from the metadata. (2) Inspect the included files locally (SKILL.md and scripts) — the provided script only fetches public API metadata and does not use secrets. (3) If you run the skill, supply least-privilege credentials (prefer read-only or narrow-scope temporary credentials) and consider running in a sandboxed account or environment. (4) Be cautious about storing or exposing output files; they may contain resource IDs or timestamps that you consider sensitive. (5) If you need mutating operations, require explicit user confirmation and audit logs. If the publisher can't justify the metadata omission, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk971vvepvqg1vt4tz2mb9gm3e982qak2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.