ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Observability Sls Log Query

v1.0.2

Query and troubleshoot logs in Alibaba Cloud Log Service (SLS) using query|analysis syntax and the Python SDK. Use for time-bounded log search, error investi...

0· 1k·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, SKILL.md, and Python scripts all implement Alibaba Cloud Log Service (SLS) querying via aliyun-log-python-sdk — that matches the stated purpose. However the registry metadata lists no required environment variables or primary credential, while the SKILL.md and both scripts require ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, SLS_ENDPOINT, SLS_PROJECT, and SLS_LOGSTORE. This mismatch (manifest claims no credentials but code needs them) is an incoherence to address.
Instruction Scope
Runtime instructions and included scripts are limited to composing SLS queries, calling the official Python SDK, printing JSON-formatted logs, and saving validation/output artifacts under an output directory. The SKILL.md does not instruct the agent to read unrelated system files or send data to third-party endpoints beyond SLS.
Install Mechanism
There is no install spec (instruction-only skill with included scripts). The README recommends installing aliyun-log-python-sdk via pip inside a virtualenv — a standard, low-risk approach. No downloads from arbitrary URLs or extract/install steps are present.
!
Credentials
Requesting Alibaba Cloud Access Key ID/Secret and SLS-specific variables is proportionate to querying SLS. However the registry metadata fails to declare these required environment variables or a primary credential, creating a misleading security picture. Also note that logs returned by SLS may contain sensitive data; the scripts print and instruct saving raw log contents to output files, which could expose secrets if present in logs. Prefer least-privilege or temporary credentials (read-only SLS access) when using this skill.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system-wide changes, and does not modify other skills' configurations. Autonomous invocation (disable-model-invocation:false) is the platform default and not in itself concerning here.
What to consider before installing
This skill implements Alibaba Cloud SLS queries and legitimately needs ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET plus SLS_* variables — but the registry metadata omitted those requirements. Before installing: (1) review and confirm you trust the skill source; (2) run it in an isolated environment/venv; (3) provide least-privilege or temporary credentials (read-only SLS/LogService access), not your full account keys; (4) be aware the scripts print and save raw log entries (logs can contain secrets), so inspect output paths and rotate any keys accidentally leaked; (5) verify aliyun-log-python-sdk is installed from the official PyPI package and optionally inspect the package source. If the metadata omission concerns you, ask the publisher to correct manifest declarations or provide an explanation.

Like a lobster shell, security has layers — review code before you run it.

latestvk973aw5b8m05kymgpnwgj4bqg182p6gd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments