ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Translation Anytrans

v1.0.3

Manage Alibaba Cloud TongyiTranslate (AnyTrans) via OpenAPI/SDK. Use whenever the user needs translation service resource operations in Alibaba Cloud, includ...

0· 1.2k·4 current·4 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (manage Alibaba Cloud TongyiTranslate/AnyTrans) legitimately requires Alibaba Cloud credentials and region info, and the SKILL.md indeed instructs use of ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID and ~/.alibabacloud/credentials. However, the skill's registry metadata lists no required env vars or primary credential. This mismatch between declared requirements and actual instructions is incoherent and worth verifying.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read environment variables and the shared credentials file (~/.alibabacloud/credentials), discover APIs, call SDK/OpenAPI Explorer, and save evidence including key parameters (region/resource id/time range). Those actions are within the stated translation-management purpose, but they do require access to local credential material and potentially record resource identifiers — and the instructions access files/env vars not declared in the metadata. The agent is also allowed to choose a region if none is set, which grants some discretion.
Install Mechanism
No install spec (instruction-only) and included helper script only fetches public metadata from api.aliyun.com. There's nothing being downloaded or executed during an install step, which minimizes install-time risk.
!
Credentials
The runtime expects ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID or the shared config file. Those credentials are proportionate to managing Alibaba Cloud resources, but the manifest did not declare them. Requiring secret keys without declaring them reduces transparency and is a red flag for least-privilege review.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide config. It writes outputs to a skill-specific output/ directory as documented, which is normal.
What to consider before installing
This skill appears to be a legitimate helper for Alibaba Cloud AnyTrans, but the SKILL.md requires your Alibaba Cloud access key/secret or the standard credentials file while the registry metadata lists no required credentials — verify this before proceeding. If you plan to use it: (1) prefer creating an IAM user or role with least privilege (only AnyTrans permissions) and use temporary credentials or scoped API keys; (2) do not supply high-privilege or root keys; (3) review the included script (scripts/list_openapi_meta_apis.py) — it only fetches public API metadata from api.aliyun.com; (4) run the skill in a sandbox or with limited credentials first and confirm it asks before any mutating operations; (5) be aware it will write outputs/evidence (including region/resource IDs) to output/alicloud-ai-translation-anytrans/ — avoid saving very sensitive secrets there. If you cannot verify the source or cannot provide a scoped credential, consider not installing or only running its read-only parts manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk97027h6e1tctvsbzzht7d277982qbe8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments