ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Compute Fc Agentrun

v1.0.3

Manage Function Compute AgentRun resources via OpenAPI (runtime, sandbox, model, memory, credentials). Use for creating runtimes/endpoints, querying status,...

0· 1.1k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and included scripts implement AgentRun runtime/endpoint operations (create/publish/delete) which match the skill name and description. However, the registry metadata claims no required environment variables or primary credential while the scripts and SKILL.md clearly require ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET (and optionally a security token). That mismatch is inconsistent and unexplained.
Instruction Scope
The runtime instructions and scripts stay within the stated purpose: they call the AgentRun SDK to list, create, publish, and delete runtimes/endpoints and write API responses to a local output directory. They do not reference unrelated system files or external endpoints beyond the documented AgentRun endpoints. The only issue is that the instructions expect cloud credentials (not declared in metadata).
Install Mechanism
There is no install spec; this is instruction-only with Python helper scripts. The scripts import the official-sounding Alibaba Cloud SDK packages but do not attempt to download arbitrary code or call unknown URLs. Risk from installation is low, though the runtime requires the SDK to be present.
!
Credentials
The scripts require sensitive credentials (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional security token). Those credentials are proportionate for managing cloud resources, but the skill metadata did not declare them nor name a primary credential — an inconsistency that could lead users to unknowingly supply powerful secrets. The skill also suggests saving outputs locally (output/...), which is fine but could contain resource identifiers and responses.
Persistence & Privilege
always is false (good). The skill allows autonomous invocation (platform default). Combined with required cloud credentials, autonomous invocation increases potential impact (the agent could create/delete cloud resources). This is not intrinsically malicious given the skill's purpose, but it is a risk vector to consider.
What to consider before installing
Do not supply long-lived Alibaba Cloud credentials until the publisher fixes the metadata to declare the required env vars. If you must use this skill: (1) provide least-privilege RAM credentials or a short-lived security token scoped only to the necessary AgentRun actions; (2) run in an isolated/test account to avoid accidental production changes; (3) verify the SDK packages you install come from official Alibaba sources; (4) consider disabling autonomous invocation or restricting the agent's ability to act without explicit user consent; and (5) confirm the skill publisher/source before trusting it with cloud credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fzwcd4pgvt6qgasrm7ntj982q86t
1.1kdownloads
0stars
4versions
Updated 23h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

Function Compute AgentRun (OpenAPI)

Use AgentRun OpenAPI (ROA) to manage runtimes, sandboxes, model services, memory, and credentials.

Prerequisites

  • AccessKey via RAM user (least privilege).
  • Select the correct regional endpoint (see references/endpoints.md). If unsure, choose the most reasonable region for the task or ask the user.
  • Use OpenAPI Explorer or official SDK to avoid manual signing (ROA requires SignatureV1).

Workflow

  1. Choose region endpoint (agentrun.cn-<region>.aliyuncs.com).
  2. Create runtime → publish version → create runtime endpoint.
  3. Create sandbox/template if needed.
  4. Configure credentials and model services as required.
  5. Query resources for troubleshooting.

API Groups

See references/api_overview.md for the full API list and grouping.

Script quickstart

python skills/compute/fc/alicloud-compute-fc-agentrun/scripts/quickstart.py

Environment variables:

  • AGENTRUN_ENDPOINT
  • ALICLOUD_ACCESS_KEY_ID
  • ALICLOUD_ACCESS_KEY_SECRET
  • OUTPUT_DIR (optional)

Runtime flow script

AGENTRUN_RUNTIME_NAME="my-runtime" \\
AGENTRUN_RUNTIME_ENDPOINT_NAME="my-runtime-endpoint" \\
python skills/compute/fc/alicloud-compute-fc-agentrun/scripts/runtime_flow.py

Environment variables:

  • AGENTRUN_ENDPOINT
  • ALICLOUD_ACCESS_KEY_ID
  • ALICLOUD_ACCESS_KEY_SECRET
  • AGENTRUN_RUNTIME_NAME
  • AGENTRUN_RUNTIME_ENDPOINT_NAME
  • AGENTRUN_RUNTIME_DESC (optional)
  • OUTPUT_DIR (optional)

Cleanup script

AGENTRUN_RUNTIME_ID="runtime-id" \\
AGENTRUN_RUNTIME_ENDPOINT_ID="endpoint-id" \\
python skills/compute/fc/alicloud-compute-fc-agentrun/scripts/cleanup_runtime.py

Environment variables:

  • AGENTRUN_ENDPOINT
  • ALICLOUD_ACCESS_KEY_ID
  • ALICLOUD_ACCESS_KEY_SECRET
  • AGENTRUN_RUNTIME_ID
  • AGENTRUN_RUNTIME_ENDPOINT_ID
  • OUTPUT_DIR (optional)

SDK Notes

See references/sdk.md for SDK acquisition guidance.

Output Policy

If you store any generated files or responses, write them under: output/compute-fc-agentrun/.

Validation

mkdir -p output/alicloud-compute-fc-agentrun
for f in skills/compute/fc/alicloud-compute-fc-agentrun/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-compute-fc-agentrun/validate.txt

Pass criteria: command exits 0 and output/alicloud-compute-fc-agentrun/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-compute-fc-agentrun/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

References

  • API overview and operation list: references/api_overview.md

  • Regional endpoints: references/endpoints.md

  • SDK guidance: references/sdk.md

  • Source list: references/sources.md

Comments

Loading comments...