Alicloud Ai Content Aimiaobi
ReviewAudited by ClawScan on May 10, 2026.
Overview
The artifacts do not show malicious behavior, but this unknown-source cloud-management skill can use Alibaba Cloud credentials to make real AiMiaoBi changes and save local output files.
Install this only if you want OpenClaw to help manage Alibaba Cloud AiMiaoBi. Before use, configure a dedicated least-privilege Alibaba Cloud key, verify the target region and resource IDs, explicitly approve any create/update/modify/set operation, and periodically clean the skill's output directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with valid credentials, the agent may create or modify AiMiaoBi resources or configurations in the user's Alibaba Cloud account.
The skill authorizes the agent to perform mutating Alibaba Cloud API operations. This matches the management purpose and includes some scoping steps, but the actions can still change cloud resources.
Call API with SDK or OpenAPI Explorer. ... Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Use least-privilege Alibaba Cloud permissions and require explicit review of the region, resource ID, API name, and parameters before any mutating call.
A broadly privileged AccessKey could let the agent affect more Alibaba Cloud resources than intended.
The skill uses Alibaba Cloud account credentials and can fall back to a local shared credential profile. This is expected for the service integration, but those credentials may carry broad account privileges.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Create a dedicated least-privilege RAM user/key for AiMiaoBi tasks and avoid using broad administrator credentials.
Users have less external context for judging the publisher or update history of a skill that can operate on cloud resources.
The registry information does not provide a source repository or homepage for independent provenance review. The included code is small and visible, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown Homepage: none
Inspect the provided artifacts and only install if you trust the registry owner and are comfortable with the cloud permissions granted.
Local output files may retain cloud resource details after the task is complete.
The skill intentionally persists API outputs and operational parameters locally. This is useful for reproducibility, but those files may contain resource identifiers or status details.
Save artifacts, command outputs, and API response summaries under `output/alicloud-ai-content-aimiaobi/`. ... Include key parameters (region/resource id/time range) in evidence files
Do not save secrets in evidence files, protect the output directory, and remove outputs when they are no longer needed.