Alicloud Compute Ecs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-compute-ecs Version: 1.0.3 The skill bundle provides a legitimate set of tools for managing Alibaba Cloud ECS instances using official SDKs. It includes scripts for cross-region inventory (list_instances_all_regions.py), resource monitoring (query_instance_usage.py), and remote command execution via the Cloud Assistant service (run_remote_command.py). While the ability to run remote commands is a high-privilege operation, the implementation is transparent, aligned with the stated purpose, and lacks any indicators of malicious intent, obfuscation, or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could execute commands on a cloud VM, affecting services or exposing data from that instance.
The skill includes a user-directed helper that submits arbitrary shell or PowerShell command text to an ECS instance via Alibaba Cloud Assistant.
parser.add_argument("--command", required=True, help="Shell command text, e.g. 'ps -ef'") ... run_resp = client.run_command(run_req)Only run remote commands after confirming the exact instance, region, command text, and expected impact; use least-privileged RAM permissions where possible.
Credentials with broad ECS permissions could allow listing, modifying, stopping, deleting, or otherwise controlling cloud infrastructure.
The scripts use Alibaba Cloud access keys from environment variables to authenticate API calls.
ak = os.getenv("ALICLOUD_ACCESS_KEY_ID") or os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") ... config.access_key_secret = skUse a dedicated RAM user or role with least privilege, avoid long-lived broad AccessKeys, and rotate credentials if they are exposed.
Future dependency changes could alter behavior or introduce vulnerable versions.
The setup instructions install SDK packages without version pins. This is common for examples but leaves dependency versions to the package resolver.
python -m pip install alibabacloud_ecs20140526 alibabacloud_tea_openapi alibabacloud_credentials
Install in a virtual environment, pin package versions for production use, and obtain packages from trusted package indexes.
Saved files may contain instance IDs, names, network identifiers, command arguments, or command output that could be sensitive.
The skill intentionally persists inventory and evidence outputs locally; remote-command results also include decoded stdout in JSON.
Save list/summarize outputs under `output/alicloud-compute-ecs/`.
Store outputs in a protected location, avoid commands that print secrets, and delete or redact evidence files when no longer needed.