ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Data Analytics Dataanalysisgbi

v1.0.3

Manage Alibaba Cloud DataAnalysisGBI via OpenAPI/SDK. Use whenever the user needs DataAnalysisGBI resource lifecycle operations, configuration changes, statu...

0· 1.1k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name, description, and included script match the stated purpose (discovering and listing DataAnalysisGBI OpenAPI metadata and guiding SDK/API calls). There are no unrelated binaries or third-party installs. However, the SKILL.md expects Alibaba Cloud credentials and shared config usage even though the registry metadata lists no required environment variables or config paths — this mismatch is unexpected.
Instruction Scope
SKILL.md instructions are scoped to API discovery and making API calls (confirm region/ids, use List/Describe/Create/Update, verify with describe/list). It instructs writing artifacts to a skill-specific output directory. It does reference reading credentials from environment variables or the shared config file (~/.alibabacloud/credentials), which is appropriate for cloud API calls but extends beyond the manifest declarations (see purpose_capability). There are no instructions to exfiltrate data to unexpected endpoints; the included script only fetches api.aliyun.com metadata.
Install Mechanism
This is instruction-only with a small helper script; there is no install spec, no downloads, and nothing written to system paths. The included Python script uses stdlib urllib to fetch metadata — low install risk.
!
Credentials
The SKILL.md explicitly requires Alibaba Cloud AccessKey env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and offers a shared config file as fallback. The skill manifest (registry metadata) however lists no required env vars or config paths. That under-declaration is a red flag because the runtime will ask for sensitive credentials but the manifest does not advertise them, making it harder for users to notice what secrets they must provide. The number and type of credentials requested are proportionate to the stated cloud-management purpose, but they must be declared upfront.
Persistence & Privilege
always:false and user-invocable:true (defaults) — no forced permanent presence. The skill writes artifacts under its own output directory per SKILL.md; it does not request system-wide configuration changes or modify other skills.
What to consider before installing
This skill appears to do what it advertises (discovering Alibaba Cloud DataAnalysisGBI OpenAPI metadata and guiding API/SDK calls). However, SKILL.md expects you to provide Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) or use ~/.alibabacloud/credentials, but the skill's registry metadata did not declare these required env vars — that mismatch is concerning because you might not notice you are handing sensitive keys to this skill. Before installing or running: (1) verify the skill source/trustworthiness (author, registry page); (2) prefer creating a least-privilege Alibaba Cloud key scoped to only DataAnalysisGBI operations; (3) consider supplying credentials via a temporary or constrained mechanism rather than system-wide env vars; (4) inspect the script locally (it only fetches api.aliyun.com metadata) and run it manually in a safe environment if unsure; and (5) be aware the skill will write outputs under output/alicloud-data-analytics-dataanalysisgbi/ — ensure that directory is secure and does not get uploaded to external services. If the publisher can't explain why the manifest omits the credential declarations, treat the skill as untrusted until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk977r3cvnm62crrcsmyp76s0j982q3xh
1.1kdownloads
0stars
4versions
Updated 23h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

DataAnalysisGBI

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for DataAnalysisGBI.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: DataAnalysisGBI
  • Default API version: 2024-08-23
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-data-analytics-dataanalysisgbi/

Validation

mkdir -p output/alicloud-data-analytics-dataanalysisgbi
for f in skills/data-analytics/alicloud-data-analytics-dataanalysisgbi/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-data-analytics-dataanalysisgbi/validate.txt

Pass criteria: command exits 0 and output/alicloud-data-analytics-dataanalysisgbi/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-data-analytics-dataanalysisgbi/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...