ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Pai Aiworkspace

v1.0.3

Manage Alibaba Cloud PAI AIWorkspace (AIWorkSpace) via OpenAPI/SDK. Use whenever the user is operating AIWorkspace resources such as workspace/project invent...

0· 1.1k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description and included Python script align with managing Alibaba Cloud AIWorkSpace via OpenAPI metadata discovery. However, the SKILL.md describes using Alibaba Cloud SDKs and prioritizes ALICLOUD_ACCESS_KEY_ID/ALICLOUD_ACCESS_KEY_SECRET/ALICLOUD_REGION_ID and a shared credentials file (~/.alibabacloud/credentials). The skill manifest lists no required environment variables or credentials, which is inconsistent: management operations typically need credentials, so the manifest should declare them or explain why none are required.
!
Instruction Scope
The SKILL.md instructs the agent to: read environment variables for Alibaba Cloud credentials, optionally read the shared credentials file (~/.alibabacloud/credentials), pick a region, and run SDK/OpenAPI calls (including mutating Create/Update/Delete patterns). The included script itself only fetches public API metadata from api.aliyun.com (benign), but the higher-level instructions permit mutating API calls and reading a credentials file that is outside the declared manifest scope—this is scope creep unless the skill explicitly requests those credentials.
Install Mechanism
No install spec; the skill is instruction-only plus a small metadata-fetching Python script. No downloads from questionable URLs, no archive extraction, and the script uses only the standard library (urllib). Install mechanism presents low risk.
!
Credentials
The SKILL.md recommends using ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / optional ALICLOUD_REGION_ID or the shared credentials file, but the skill metadata lists no required env vars or primary credential. That mismatch is significant: the skill may attempt to read sensitive credentials from environment or disk without them being declared. The guidance to configure 'least-privilege' keys is good, but the manifest should explicitly declare the credentials it needs.
Persistence & Privilege
always is false and the skill does not request persistent system changes or modify other skills. The skill writes outputs to its own output/ directory per SKILL.md. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal for skills; however combined with credential access this increases potential impact—see user guidance.
What to consider before installing
This skill appears to do what it says (discover and call Alibaba Cloud AIWorkSpace OpenAPIs), and the bundled Python script only fetches public API metadata. However, SKILL.md expects you to provide Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) or a shared credentials file (~/.alibabacloud/credentials), but the skill metadata does not declare these requirements—meaning the agent could try to read credentials from your environment or disk without that being explicit. Before installing or running: - Verify the skill source and owner (no homepage provided). - Do not provide high-privilege credentials; create and supply least-privilege AccessKey pair scoped to only the necessary AIWorkSpace actions if you intend to allow mutating operations. - Prefer running the metadata script first (it only fetches public JSON) to inspect the API list; it saves outputs under output/alicloud-ai-pai-aiworkspace/. - If you plan to let the agent perform mutating actions, require explicit confirmation for each action and/or restrict credentials to non-production resources. - Ask the maintainer to update the skill manifest to explicitly declare the required environment variables and primary credential so the permission model is clear. If you cannot confirm the origin or the required permissions, treat this as potentially risky and avoid supplying credentials or enabling autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fz5gwf8aaanmsewczanszzn82pkpg
1.1kdownloads
0stars
4versions
Updated 23h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

PAI AIWorkspace

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Platform for Artificial Intelligence PAI - AIWorkspace.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: AIWorkSpace
  • Default API version: 2021-02-04
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-ai-pai-aiworkspace/

Validation

mkdir -p output/alicloud-ai-pai-aiworkspace
for f in skills/ai/platform/alicloud-ai-pai-aiworkspace/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-ai-pai-aiworkspace/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-pai-aiworkspace/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-pai-aiworkspace/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...