Alicloud Ai Recommend Airec
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-ai-recommend-airec Version: 1.0.3 The skill bundle is a legitimate tool for managing Alibaba Cloud AIRec resources via OpenAPI. The primary script, `scripts/list_openapi_meta_apis.py`, fetches API documentation from official Alibaba Cloud metadata endpoints (api.aliyun.com) and saves it to a local output directory. No evidence of data exfiltration, credential theft, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad Alibaba Cloud credentials are available, the agent may be able to list or change AIRec resources within those permissions.
The skill directs the agent to use Alibaba Cloud account credentials, including a local shared credentials file. This is expected for the stated cloud-management purpose, but it grants delegated account authority.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Use a dedicated least-privilege Alibaba Cloud RAM user or role limited to the needed AIRec actions and region; avoid admin keys and rotate or revoke credentials when finished.
Wrong region, resource ID, or parameters could alter AIRec resources unintentionally.
The skill explicitly supports mutating AIRec resources through Alibaba Cloud OpenAPI/SDK. This matches the stated purpose, but such operations can change cloud configuration.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Require an execution plan and explicit user confirmation before create/update/modify/set calls, then verify results with describe/list APIs.
Local output files could reveal cloud resource names, IDs, regions, or configuration context if shared or committed.
The skill stores local evidence files that may include cloud resource identifiers or operational details. This is scoped and purpose-aligned, but users should treat the outputs as potentially sensitive.
Save artifacts, command outputs, and API response summaries under `output/alicloud-ai-recommend-airec/`. Include key parameters (region/resource id/time range) in evidence files
Review and redact output files before sharing, avoid saving secrets in evidence files, and clean the output directory when no longer needed.