ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Media Video Translation

v1.0.2

Create and manage Alibaba Cloud IMS video translation jobs via OpenAPI (subtitle/voice/face). Use when you need API-based video translation, status polling,...

0· 1.1k·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (manage Alibaba Cloud IMS video translation jobs) matches the SKILL.md instructions (SubmitVideoTranslationJob, GetSmartHandleJob, ListSmartJobs/DeleteSmartJob). Asking for ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID in the prerequisites is appropriate for this purpose. However, the registry metadata lists no required env vars or primary credential — that mismatch is unexpected and reduces transparency.
!
Instruction Scope
SKILL.md instructs the agent to call Alibaba Cloud OpenAPI endpoints and to use OSS input/output URIs. It references specific environment variables (AK/SK/region) and asks the agent to save API responses and evidence under an output directory. There are no instructions to read unrelated local files, but the instructions do not appear in the declared metadata, giving the agent discretion to use credentials not declared in the registry; this is a scope/visibility concern.
Install Mechanism
This is an instruction-only skill with no install spec and no included code files, so it does not write or execute new code on disk. That is low-risk from an install perspective.
!
Credentials
The SKILL.md requires highly sensitive credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) which are proportionate to the claimed cloud operations, but the skill's declared requirements do not list them. The lack of declared env vars reduces transparency about what secrets the skill will use and increases risk if users supply broad-scoped credentials.
Persistence & Privilege
The skill does not request always:true, does not install persistent components, and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (platform normal) but not elevated by the skill.
What to consider before installing
Before installing: (1) Ask the publisher to update the registry metadata to explicitly declare required env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, ALICLOUD_REGION_ID). Do not set those credentials globally until you verify the publisher. (2) Use least-privilege credentials (restrict to IMS and OSS actions and specific resources) or temporary STS tokens rather than long-lived root keys. (3) Confirm there is a trustworthy source/homepage or repository for the skill and request published code or documentation. (4) Consider running the skill in an isolated environment and rotate keys after testing. (5) Be aware the skill will save API responses and job parameters to output/..., so avoid including sensitive keys or full credentials in those outputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk971spy5dr6g5s52sqm5ap3et982qh5e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments