Alicloud Ai Translation Anytrans
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a legitimate Alibaba Cloud translation-service helper, but it can use cloud credentials to make real service changes, so users should use least-privilege credentials and confirm mutations.
Install this only if you want the agent to help manage Alibaba Cloud AnyTrans resources. Configure a least-privilege Alibaba Cloud key, set the region deliberately, require confirmation before any Create/Update/Modify/Set call, and review generated output files for sensitive operational details.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or modify AnyTrans resources, which may affect service behavior, account configuration, or costs.
The skill is designed to drive Alibaba Cloud OpenAPI/SDK operations, including mutating operations. This is purpose-aligned, but those calls can change real cloud resources.
Call API with SDK or OpenAPI Explorer. ... Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Before any mutating API call, confirm the exact API name, region, resource ID, request parameters, and expected impact with the user.
If broad credentials are available, the agent may act with those Alibaba Cloud permissions while managing AnyTrans resources.
The skill expects Alibaba Cloud credentials and can fall back to the local shared credentials file. This is normal for cloud management, but it grants delegated account authority.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Use a least-privilege AccessKey limited to the needed AnyTrans APIs, set the intended region explicitly, and avoid root or broadly scoped account keys.
Running the script contacts api.aliyun.com and creates local inventory files under the configured output directory.
The optional quickstart script runs local Python code, fetches public OpenAPI metadata from Alibaba Cloud, and writes output files. The behavior is disclosed and aligned with metadata discovery.
with urllib.request.urlopen(req, timeout=timeout) as resp: ... json_file.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")
Run the script only when metadata discovery is intended, keep outputs in the skill output directory, and use trusted product/version override values.
Local output files may reveal cloud regions, resource IDs, task timing, or API response details to anyone with access to the workspace.
The skill stores operational evidence locally, including resource identifiers and API summaries. This is useful for reproducibility but may contain sensitive operational details.
Save artifacts, command outputs, and API response summaries under `output/alicloud-ai-translation-anytrans/`. Include key parameters (region/resource id/time range) in evidence files
Do not store secrets in evidence files, protect the output directory, and delete generated artifacts when they are no longer needed.