Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alicloud Database Rds Supabase
v1.0.1Manage Alibaba Cloud RDS Supabase (RDS AI Service 2025-05-07) via OpenAPI. Use for creating, starting/stopping/restarting instances, resetting passwords, que...
⭐ 0· 993·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the SKILL.md: it manages Alibaba Cloud RDS Supabase via the RDS AI OpenAPI. However the skill's metadata lists no required environment variables or primary credential, while the SKILL.md explicitly instructs the agent to use Alibaba Cloud AccessKey credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID) or the standard credentials file. That omission in metadata is a coherence problem: a cloud-management skill legitimately needs credentials, and they should be declared.
Instruction Scope
SKILL.md gives concrete runtime instructions: read environment variables, check ~/.alibabacloud/credentials, choose regions (and optionally perform all-region queries), call many read/write API operations, and save API responses to output/alicloud-database-rds-supabase/. These instructions are generally within the skill's stated purpose, but they also enable broad enumeration (all-region DescribeAppInstances) and instruct writing outputs that may include secrets (endpoints, auth info, passwords). The document also references storage config fields (e.g., AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY) — the skill could request or handle third-party cloud credentials when modifying storage, which is a scope expansion that should be explicit.
Install Mechanism
Instruction-only skill with no install spec and no code files; lowest install risk. Nothing is written to disk by an install step. Runtime behaviour depends entirely on the SKILL.md instructions and the agent environment.
Credentials
The SKILL.md legitimately requires Alibaba Cloud credentials and optionally a region, but the registry metadata lists none. The SKILL.md also references the standard credentials file path (~/.alibabacloud/credentials) and storage configuration parameters that may contain third-party cloud credentials (e.g., AWS_ACCESS_KEY_ID/SECRET, S3 endpoint). Requesting the Alibaba credentials is proportionate to the purpose, but the omission from declared requirements and the possible need for additional storage credentials are inconsistent and potentially confusing for users.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not claim to modify other skills or global agent settings. Autonomous invocation is allowed by default (normal for skills); combining that with user-provided cloud credentials gives the skill the ability to act on cloud resources — expected for this type of skill but something the user should authorize explicitly.
What to consider before installing
This skill appears to be a legitimate Alibaba Cloud RDS Supabase manager, but the SKILL.md expects you to provide Alibaba access keys (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) or a credentials file even though the registry metadata doesn't declare them. Before installing or running it: (1) only provide a least-privilege RAM user/role (no full-owner keys); (2) confirm the skill author updates metadata to declare required env vars; (3) be cautious about allowing all-region queries — approve those explicitly; (4) beware that output files may contain sensitive data (endpoints, passwords, auth info) and that modifying storage config could require third-party cloud credentials (e.g., S3 keys); and (5) ask the publisher for clarification on what permissions the skill needs and why, or for a minimal permission policy you can apply.Like a lobster shell, security has layers — review code before you run it.
latestvk978p3zr6870xd44rdxa6gr2tx82pxw2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.