ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Backup Hbr

v1.0.3

Manage Alibaba Cloud Cloud Backup (HBR) via OpenAPI/SDK. Use whenever the user asks for backup lifecycle operations such as resource listing, policy/config u...

0· 1.1k·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, references, and the included script all align with managing Alibaba Cloud HBR via OpenAPI/SDK and metadata discovery. The included script fetches API metadata from api.aliyun.com which is appropriate for this purpose. However, the package metadata lists no required environment variables or primary credential, while SKILL.md explicitly documents required Alibaba Cloud credentials and a shared config file — an omission in the registry metadata.
Instruction Scope
The SKILL.md gives specific, narrow runtime instructions: discover APIs, use SDK/OpenAPI Explorer, run the provided metadata script, and write outputs to output/alicloud-backup-hbr/. It asks to confirm region/ids and to ask the user before mutating operations. The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec. The single script performs simple HTTP GETs to official api.aliyun.com metadata endpoints and writes files to an output directory. No downloads from untrusted hosts or archive extraction are present.
!
Credentials
SKILL.md requires ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID, or the shared config at ~/.alibabacloud/credentials. Those credentials are proportionate to calling Alibaba Cloud APIs, but the registry metadata declares no required env vars or primary credential — this mismatch is a material inconsistency. The skill will need sensitive keys to perform mutations; the user should ensure least-privilege credentials are used and be aware that evidence files may include resource identifiers and parameters.
Persistence & Privilege
The skill is not set to always:true and does not request any special persistent system privileges. Model invocation is enabled (default), which is normal; there is no code that modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (discover HBR OpenAPI metadata and guide SDK/API calls), but it documents needing Alibaba Cloud credentials while the registry metadata lists none. Before installing: (1) verify you are willing to provide ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET (use a least-privilege key scope), (2) confirm the skill will only write outputs under output/alicloud-backup-hbr/ and will not send data to unknown endpoints, (3) if you want to run mutating operations, ensure the agent asks you to confirm region/resource IDs (SKILL.md promises this), and (4) consider updating the registry metadata to declare the required env vars or only provide credentials interactively when needed. If you cannot supply controlled credentials or need assurance about auditing, treat this as untrusted until you validate its runtime behavior in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740zagdgw6kx3rek3b6w8db982qbmj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments