ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Network Dns Cli

v1.0.2

Alibaba Cloud DNS (Alidns) CLI skill. Use to query, add, and update DNS records via aliyun-cli, including CNAME setup for Function Compute custom domains.

0· 1.1k·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: it is explicitly a helper for managing Alidns via aliyun-cli and for CNAME setup for Function Compute. The steps and API calls in SKILL.md are consistent with that purpose.
Instruction Scope
SKILL.md stays on-topic: it instructs installing aliyun-cli, configuring Alibaba Cloud credentials, running DescribeSubDomainRecords and AddDomainRecord, and saving outputs. It does not instruct reading unrelated system files or exfiltrating data to third-party endpoints.
Install Mechanism
The install instructions use curl to download a tarball from aliyuncli.alicdn.com (an Alibaba CDN domain referenced in the official docs). Using curl+extract is expected for installing a CLI but bears the usual risks of arbitrary binary installs; this is proportionate for a CLI helper but users should verify the URL and checksum before running.
!
Credentials
Registry metadata lists no required environment variables or primary credential, but SKILL.md clearly requires Alibaba Cloud access keys (and suggests ALICLOUD_ACCESS_KEY_ID/ALICLOUD_ACCESS_KEY_SECRET and optional region). This mismatch (metadata omission) is a notable incoherence — the skill will require secret credentials to operate, and that should be declared up front.
Persistence & Privilege
The skill is instruction-only, has no install spec in registry, and does not request always:true. Autonomous invocation is allowed by default (normal), but the skill itself does not request elevated or persistent platform privileges. The aliyun CLI configuration step will persist credentials locally (per normal CLI behavior).
What to consider before installing
This skill appears to do what it says (manage Alibaba Cloud DNS with aliyun-cli), but before using it: 1) be aware it requires your Alibaba Cloud Access Key ID and Secret — do not provide root or overly powerful keys; create least-privilege keys for DNS changes. 2) The registry metadata did not declare these required credentials — treat that omission as a red flag and confirm how/when credentials are used. 3) Review the download URL (aliyuncli.alicdn.com) and, if possible, verify checksums from official docs before running the curl/install steps. 4) Ensure the agent or skill will ask for explicit confirmation before performing mutating operations (AddDomainRecord). 5) After testing, remove or rotate any credentials stored by the CLI if you no longer need them. If you need higher assurance, ask the publisher to update the registry metadata to list the required env vars and to provide checksums or a vetted install mechanism.

Like a lobster shell, security has layers — review code before you run it.

latestvk977hhzqhb4sym60kp89208qnn82p7j1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments