Alicloud Platform Docs Api Review
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-platform-docs-api-review Version: 1.0.1 The skill bundle is designed to automate the review of Alibaba Cloud product and API documentation. The core logic in `scripts/review_product_docs_and_api.py` fetches public metadata and documentation links from official Alibaba Cloud domains (api.aliyun.com and aliyun.com) to generate a structured quality report. There is no evidence of data exfiltration, credential theft, or unauthorized command execution; the script uses standard libraries for HTTP requests and local file I/O consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unnecessarily expose Alibaba Cloud access keys to the agent environment for a task that appears to only need public documentation data.
The skill asks for Alibaba Cloud account credentials even though its stated purpose is documentation review and the registry declares no required credentials or environment variables. The visible script behavior uses public documentation/API metadata URLs, so the need and exact permission scope are unclear.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`
Remove the credential prerequisite unless it is truly required. If credentials are required, declare them in metadata and document exact read-only permissions, scope, and how the keys are used.
An agent could interpret the skill as allowing Alibaba Cloud account changes if credentials are present, which could lead to unintended resource or account mutations.
A docs/API review skill should not need to mutate cloud resources. This wording introduces ambiguous high-impact authority without defining what mutations are in scope or how they are approved.
If region is unclear, ask the user before running mutating operations.
Explicitly prohibit mutating cloud operations in this skill, or move them to a separate clearly-scoped skill with required user confirmation and reversible, documented actions.
Running the skill executes local Python code that fetches Alibaba Cloud documentation data and writes report files.
The skill runs a bundled Python script. This is disclosed and central to the documentation review purpose, but users should still understand that local code will execute.
python skills/platform/docs/alicloud-platform-docs-api-review/scripts/review_product_docs_and_api.py --product "<product name or product code>"
Run it only in an environment where executing the bundled script is acceptable, and avoid providing cloud credentials unless the skill is updated to justify and bound their use.
Users have less external context for verifying the author, source history, or maintenance of the bundled script.
The registry information does not provide a source repository or homepage for provenance. No remote installer is shown, but provenance is limited.
Source: unknown; Homepage: none
Prefer a published source repository or homepage, and review the bundled script before running it.