Alicloud Compute Ecs
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Alibaba Cloud ECS administration skill, but it can use cloud credentials and run commands on ECS instances, so users should scope credentials and review actions carefully.
Install only if you want an agent to help administer Alibaba Cloud ECS. Use a least-privileged RAM role or AccessKey, review any create/delete/stop/security-group or remote-command action before execution, pin SDK dependencies if used operationally, and protect generated output files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could execute commands on a cloud VM, affecting services or exposing data from that instance.
The skill includes a user-directed helper that submits arbitrary shell or PowerShell command text to an ECS instance via Alibaba Cloud Assistant.
parser.add_argument("--command", required=True, help="Shell command text, e.g. 'ps -ef'") ... run_resp = client.run_command(run_req)Only run remote commands after confirming the exact instance, region, command text, and expected impact; use least-privileged RAM permissions where possible.
Credentials with broad ECS permissions could allow listing, modifying, stopping, deleting, or otherwise controlling cloud infrastructure.
The scripts use Alibaba Cloud access keys from environment variables to authenticate API calls.
ak = os.getenv("ALICLOUD_ACCESS_KEY_ID") or os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") ... config.access_key_secret = skUse a dedicated RAM user or role with least privilege, avoid long-lived broad AccessKeys, and rotate credentials if they are exposed.
Future dependency changes could alter behavior or introduce vulnerable versions.
The setup instructions install SDK packages without version pins. This is common for examples but leaves dependency versions to the package resolver.
python -m pip install alibabacloud_ecs20140526 alibabacloud_tea_openapi alibabacloud_credentials
Install in a virtual environment, pin package versions for production use, and obtain packages from trusted package indexes.
Saved files may contain instance IDs, names, network identifiers, command arguments, or command output that could be sensitive.
The skill intentionally persists inventory and evidence outputs locally; remote-command results also include decoded stdout in JSON.
Save list/summarize outputs under `output/alicloud-compute-ecs/`.
Store outputs in a protected location, avoid commands that print secrets, and delete or redact evidence files when no longer needed.