ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Platform Multicloud Docs Api Benchmark

v1.0.1

Benchmark similar product documentation and API documentation across Alibaba Cloud, AWS, Azure, GCP, Tencent Cloud, Volcano Engine, and Huawei Cloud. Given o...

2· 727·2 current·2 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and included script match the advertised function (discover and score cloud provider docs). However SKILL.md explicitly asks users to 'Configure least-privilege Alibaba Cloud credentials' (ALICLOUD_ACCESS_KEY_ID/ALICLOUD_ACCESS_KEY_SECRET) even though the skill's registry metadata lists no required environment variables or primary credential. Requesting provider credentials (for Alibaba Cloud) is not obviously necessary for a read-only docs discovery task unless the script calls Alibaba APIs — the metadata and manifest should declare that credential requirement but do not.
!
Instruction Scope
Runtime instructions are concrete (how to run script, where outputs go) and primarily read-only (web discovery, GCP Discovery API, GitHub code search, DuckDuckGo). However the SKILL.md asks to include 'region/resource id/time range' in evidence files and warns about 'mutating operations' — that encourages collection of potentially sensitive resource identifiers. The instructions also tell users to provide cloud credentials, which broadens scope beyond simple web scraping. The script writes output artifacts to disk under an output/ path, which is expected.
Install Mechanism
No install spec; the skill is instruction-only with a standalone Python script. This is the lowest install risk (nothing is downloaded or executed at install time). The script uses only Python stdlib networking (urllib), which is expected for a discovery/benchmark tool.
!
Credentials
SKILL.md requests ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET (and optional ALICLOUD_REGION_ID) but the manifest/registry shows no required environment variables or primary credential. Requiring cloud credentials for a documentation benchmark is plausible only if it fetches provider-specific API metadata that requires auth, but that intent is not clearly declared in metadata — this mismatch reduces transparency and could lead users to supply keys without an explicit need or justification.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence. It can be invoked autonomously (platform default), which is normal. The skill does write output artifacts under a local output/ path as documented; no evidence it alters other skills or global agent settings.
What to consider before installing
This skill appears to implement the advertised cross-cloud docs benchmarking, but there are two things you should confirm before installing or running it: 1) Clarify credential needs: SKILL.md asks for Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET) but the skill metadata does not declare any required env vars. Ask the author why keys are needed, what API calls will be made with them, and whether the script can run in a read-only mode without credentials. Do not supply production credentials until you understand the exact API calls. 2) Limit sensitive outputs: The instructions ask you to include region/resource IDs/time ranges in evidence files. Decide whether those identifiers are safe to write to disk and share. Run the script in an isolated environment (throwaway account or limited-privilege keys) and review output/ files before sharing. Other practical steps: - Inspect the full script for any code paths that perform mutating operations (create/delete) or send data to unexpected endpoints. If unsure, run the provided validation (py_compile step) first and then run discovery with pinned links and a harmless product keyword. - Request the maintainer update the package metadata to declare any required env vars (ALICLOUD_*) and explain exactly why they are needed. If the author confirms the script only uses credentials for non-mutating metadata fetches and updates the manifest accordingly, the skill is more coherent; until then treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9781ab3trwywnb72z2qndnvks82p38y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments