ClawHub
Back to skill
v1.0.3

Alicloud Compute Fc Serverless Devs

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:35 AM.

Analysis

The skill is a coherent Alibaba Cloud FC helper, but it asks for high-impact cloud credentials and includes sudo, unpinned npm/npx execution, and auto-confirmed deploy commands that deserve review before use.

GuidanceInstall only if you intend to let the agent manage Alibaba Cloud FC resources. Use a least-privilege temporary credential, verify the Serverless Devs package/version, avoid sudo for normal CLI use, remove auto-confirm piping, and confirm the account, region, function, and domain before any deploy or remove command.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
sudo s deploy; sudo s invoke -e "test"; sudo s remove; printf 'y\n' | npx -y @serverless-devs/s deploy

These instructions perform cloud deployment, invocation, removal, and custom-domain deployment. The piped yes response can bypass an interactive confirmation for a mutating cloud operation.

User impactIf run with the wrong region, account, function, or domain, the agent could change or remove cloud resources or publish a public endpoint without enough review at the command prompt.
RecommendationRequire explicit user confirmation for each mutating command, remove auto-yes piping, confirm region and resource IDs, and avoid running remove/deploy commands unless the user specifically requested them.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
sudo npm install @serverless-devs/s -g ... npx -y @serverless-devs/s -v

The install flow downloads and runs an unpinned npm package, including a sudo global install path and npx -y execution.

User impactA changed or compromised npm package version could execute code locally and, once credentials are configured, could affect the connected cloud account.
RecommendationPrefer a pinned and verified Serverless Devs version, avoid sudo/global installation where possible, use an isolated environment, and review package provenance before granting cloud credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
sudo s config add ... s config add -a default --AccessKeyID <AK> --AccessKeySecret <SK> -f

The skill instructs configuring persistent Alibaba Cloud access-key credentials, including a sudo-based setup path and a force/non-interactive credential command.

User impactCloud access keys could grant broad authority over Alibaba Cloud resources, and using sudo for credential setup may store or operate on those credentials with unnecessary local privilege.
RecommendationUse least-privilege RAM credentials, avoid placing secrets directly in command arguments where possible, do not use sudo for normal cloud CLI operations unless strictly required, and verify any existing credential alias before overwriting it.