Alicloud Platform Docs Api Review
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unnecessarily expose Alibaba Cloud access keys to the agent environment for a task that appears to only need public documentation data.
The skill asks for Alibaba Cloud account credentials even though its stated purpose is documentation review and the registry declares no required credentials or environment variables. The visible script behavior uses public documentation/API metadata URLs, so the need and exact permission scope are unclear.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`
Remove the credential prerequisite unless it is truly required. If credentials are required, declare them in metadata and document exact read-only permissions, scope, and how the keys are used.
An agent could interpret the skill as allowing Alibaba Cloud account changes if credentials are present, which could lead to unintended resource or account mutations.
A docs/API review skill should not need to mutate cloud resources. This wording introduces ambiguous high-impact authority without defining what mutations are in scope or how they are approved.
If region is unclear, ask the user before running mutating operations.
Explicitly prohibit mutating cloud operations in this skill, or move them to a separate clearly-scoped skill with required user confirmation and reversible, documented actions.
Running the skill executes local Python code that fetches Alibaba Cloud documentation data and writes report files.
The skill runs a bundled Python script. This is disclosed and central to the documentation review purpose, but users should still understand that local code will execute.
python skills/platform/docs/alicloud-platform-docs-api-review/scripts/review_product_docs_and_api.py --product "<product name or product code>"
Run it only in an environment where executing the bundled script is acceptable, and avoid providing cloud credentials unless the skill is updated to justify and bound their use.
Users have less external context for verifying the author, source history, or maintenance of the bundled script.
The registry information does not provide a source repository or homepage for provenance. No remote installer is shown, but provenance is limited.
Source: unknown; Homepage: none
Prefer a published source repository or homepage, and review the bundled script before running it.