ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Platform Docs Api Review

v1.0.1

Automatically review latest Alibaba Cloud product docs and OpenAPI docs by product name, then output detailed prioritized improvement suggestions with eviden...

0· 671·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (review Alibaba Cloud product & API docs) aligns with the bundled Python script, which resolves products via api.aliyun.com and scrapes product/help pages on aliyun.com/help. The script's HTTP requests and parsing are coherent with a docs-reviewer purpose.
!
Instruction Scope
SKILL.md tells the agent to configure Alibaba Cloud credentials, to include region/resource ids in evidence, and warns about 'mutating operations'. The provided script only performs read-only HTTP fetches of public metadata and docs pages and contains no code that reads credentials or performs mutating cloud operations. The instructions therefore overreach (scope creep): they ask for sensitive context not needed by the actual code.
Install Mechanism
No install spec; this is instruction-plus-script. No external downloads or unusual install actions are present in the bundle. The skill will only write outputs to a local output/ path when run.
!
Credentials
SKILL.md recommends environment variables ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID, but the skill metadata declares no required env vars and the script contains no references to these variables or to any credentialed API calls. Requesting credentials (even as a prerequisite) is disproportionate to the script's observable behavior and is an unexplained mismatch.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system configs. The script writes output only under output/alicloud-platform-docs-api-review/, which matches the SKILL.md output policy.
What to consider before installing
This skill appears to be a genuine docs/audit tool that fetches public Alibaba Cloud metadata and help pages, but the documentation asks for Alibaba Cloud credentials and warns about mutating ops even though the bundled script doesn't use credentials or make mutating API calls. Before installing or running it: 1) Do not provide ALICLOUD access keys to the skill unless the developer can justify them and show where they are used in code. 2) Inspect the full script locally (you already have it) and, if possible, run the provided py_compile/validation in an isolated environment to confirm behavior. 3) If you must run it on a system with network access, verify that network calls go only to expected domains (api.aliyun.com, www.aliyun.com, help.aliyun.com) and that no unexpected endpoints are contacted. 4) Ask the maintainer to either remove the credential recommendation from SKILL.md (if unnecessary) or to declare required env vars in the skill metadata and explain why they are needed. These steps will reduce the risk of accidental credential exposure or unexpected privilege escalation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvxz0z4m34cre1fbsa9qpy182pkmt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments