Alicloud Backup Bdrc
v1.0.3Manage Alibaba Cloud Backup and Disaster Recovery Center (BDRC) via OpenAPI/SDK. Use whenever the user needs backup/disaster-recovery resource operations, in...
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description and scripts match the stated purpose (manage Alibaba Cloud BDRC via OpenAPI). However, SKILL.md explicitly requires Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID/ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID) and references the shared config file ~/.alibabacloud/credentials, yet the registry metadata lists no required env vars and no primary credential. This mismatch is an inconsistency in what the skill claims vs. what it needs at runtime.
Instruction Scope
SKILL.md instructs the agent to read environment variables and the shared credentials file and to call external OpenAPI metadata endpoints (api.aliyun.com). The included script fetches public API metadata and writes artifacts to output/alicloud-backup-bdrc/. The instructions therefore access credentials/config paths not declared in the metadata — a scope mismatch. Otherwise, the runtime actions (API discovery, describe/list, create/update) are within the claimed purpose and there is no evidence of unexpected data exfiltration endpoints.
Install Mechanism
No install spec is provided (instruction-only plus one small Python script). The script uses urllib to fetch API metadata from api.aliyun.com (a plausible official source). There are no downloads from untrusted URLs, no archive extraction, and no package installs — low install risk.
Credentials
The SKILL.md requires cloud access credentials (access key id/secret and optional region) and references the shared credentials file; those are reasonable for a cloud management skill. However, the skill metadata does not declare these required environment variables or a primary credential. That omission reduces transparency and could lead to accidental credential exposure or misuse if users aren't warned. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not force-included (always:false) and does not request persistent platform privileges. It only writes outputs to its own output directory. There is no evidence it modifies other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (manage Alibaba Cloud BDRC) and includes a simple script that fetches public API metadata. However, SKILL.md expects you to provide Alibaba Cloud credentials via environment variables or ~/.alibabacloud/credentials while the registry metadata does not declare these requirements — an inconsistency you should resolve before installing.
Before proceeding:
- Treat this as requiring Alibaba Cloud access keys. Only provide least-privilege credentials (or temporary STS tokens) scoped to BDRC operations and avoid using root account keys.
- Prefer running the skill in an isolated or test account until you verify behavior.
- Inspect the included script (it fetches api.aliyun.com metadata and writes to output/) — no obfuscated network endpoints were found.
- Ask the publisher/registry to update the skill metadata to declare the required env vars and primary credential so manifest and runtime expectations match.
- When running, ensure the agent prompts you before any mutating operations and review saved output/alicloud-backup-bdrc/ artifacts for sensitive data before sharing.
If you want higher assurance, request evidence of the publisher's identity/source/homepage and/or run the skill in a sandboxed environment first.Like a lobster shell, security has layers — review code before you run it.
latest
Category: service
Backup and Disaster Recovery Center
Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Backup and Disaster Recovery Center.
Workflow
- Confirm region, resource identifiers, and desired action.
- Discover API list and required parameters (see references).
- Call API with SDK or OpenAPI Explorer.
- Verify results with describe/list APIs.
AccessKey priority (must follow)
- Environment variables:
ALICLOUD_ACCESS_KEY_ID/ALICLOUD_ACCESS_KEY_SECRET/ALICLOUD_REGION_IDRegion policy:ALICLOUD_REGION_IDis an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user. - Shared config file:
~/.alibabacloud/credentials
API discovery
- Product code:
BDRC - Default API version:
2023-08-08 - Use OpenAPI metadata endpoints to list APIs and get schemas (see references).
High-frequency operation patterns
- Inventory/list: prefer
List*/Describe*APIs to get current resources. - Change/configure: prefer
Create*/Update*/Modify*/Set*APIs for mutations. - Status/troubleshoot: prefer
Get*/Query*/Describe*StatusAPIs for diagnosis.
Minimal executable quickstart
Use metadata-first discovery before calling business APIs:
python scripts/list_openapi_meta_apis.py
Optional overrides:
python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>
The script writes API inventory artifacts under the skill output directory.
Output policy
If you need to save responses or generated artifacts, write them under:
output/alicloud-backup-bdrc/
Validation
mkdir -p output/alicloud-backup-bdrc
for f in skills/backup/alicloud-backup-bdrc/scripts/*.py; do
python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-backup-bdrc/validate.txt
Pass criteria: command exits 0 and output/alicloud-backup-bdrc/validate.txt is generated.
Output And Evidence
- Save artifacts, command outputs, and API response summaries under
output/alicloud-backup-bdrc/. - Include key parameters (region/resource id/time range) in evidence files for reproducibility.
Prerequisites
- Configure least-privilege Alibaba Cloud credentials before execution.
- Prefer environment variables:
ALICLOUD_ACCESS_KEY_ID,ALICLOUD_ACCESS_KEY_SECRET, optionalALICLOUD_REGION_ID. - If region is unclear, ask the user before running mutating operations.
References
- Sources:
references/sources.md
Comments
Loading comments...
