Alicloud Compute Fc Agentrun
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Alibaba Cloud AgentRun management helper, but it uses cloud access keys and can create or delete cloud resources.
Install only if you intend to let the agent manage Alibaba Cloud AgentRun resources. Use least-privilege RAM or STS credentials, verify the AgentRun SDK source, double-check region and resource IDs before create/delete operations, and review saved output files for sensitive data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken cleanup command could remove an Alibaba Cloud AgentRun runtime or endpoint.
The cleanup script deletes the specified AgentRun runtime endpoint and runtime. This is disclosed and purpose-aligned, but it is a high-impact cloud action if the wrong region or resource IDs are supplied.
delete_endpoint_resp = client.delete_agent_runtime_endpoint(delete_endpoint_req) ... delete_runtime_resp = client.delete_agent_runtime(delete_runtime_req)
Confirm the region and resource IDs before running cleanup, and use a RAM policy limited to the intended AgentRun resources.
The agent can act with whatever Alibaba Cloud permissions are attached to the supplied access key.
The skill needs Alibaba Cloud credentials to call AgentRun APIs. That is expected for this purpose, but the registry metadata did not declare required credentials or env vars.
- AccessKey via RAM user (least privilege). ... - `ALICLOUD_ACCESS_KEY_ID` - `ALICLOUD_ACCESS_KEY_SECRET`
Use a short-lived or least-privilege RAM/STS credential, and avoid providing broad account-level access keys.
Installing the wrong or tampered SDK could affect the cloud API calls made by the helper scripts.
The scripts depend on an external Alibaba Cloud SDK that is not pinned or installed by this skill. This is normal for an instruction/helper skill, but users should verify the dependency source.
from alibabacloud_agentrun20250910.client import Client as AgentRunClient ... "Missing AgentRun SDK. Generate or install SDK from OpenAPI Explorer"
Install the SDK only from Alibaba Cloud official sources or OpenAPI Explorer, and pin versions where possible.
Troubleshooting outputs could contain sensitive resource details if credential, token, or memory APIs are used.
The skill may interact with AgentRun memory/credential resources and save API outputs locally. There is no evidence of exfiltration, but local outputs may retain sensitive context or credential-related data.
Use AgentRun OpenAPI (ROA) to manage runtimes, sandboxes, model services, memory, and credentials. ... Save artifacts, command outputs, and API response summaries under `output/alicloud-compute-fc-agentrun/`.
Review and redact saved outputs, avoid storing secrets or access tokens, and clean up the output directory when finished.