Alicloud Platform Multicloud Docs Api Benchmark
ReviewAudited by ClawScan on May 10, 2026.
Overview
The benchmark mostly matches its stated purpose, but it asks users to configure Alibaba Cloud access keys without a clear need and uses weak URL validation for supposedly official documentation sources.
Review before installing. The public documentation benchmarking workflow appears mostly coherent, but avoid setting Alibaba Cloud credentials unless you receive a clear explanation of the exact permissions and API calls needed. Treat benchmark results cautiously until the official-domain URL validation is tightened.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may expose Alibaba Cloud account credentials to the agent environment even though the benchmark appears to rely mainly on public documentation sources.
The skill is described as benchmarking public documentation/API docs, and the registry declares no required credentials. Asking for cloud access keys is sensitive authority that is not clearly bounded or justified by the documented workflow.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.
Do not configure cloud access keys unless the maintainer clearly documents why they are required, what API calls will be made, and what permissions are safe.
The benchmark could fetch or score non-official pages while presenting them as official-source evidence, reducing trust in the comparison results.
The code claims to constrain discovery to official domains, but it checks whether the domain string appears anywhere in the URL rather than validating the URL hostname. A deceptive URL containing an official domain name in its path or query could pass this check.
def domain_allowed(url: str, domains: tuple[str, ...]) -> bool:
low = url.lower()
return any(d in low for d in domains)Validate parsed hostnames instead of substring matching, and require hostname equality or safe subdomain suffix checks for each provider.
Installing and using the skill allows the agent to run the benchmark script locally and make network requests for documentation discovery.
The skill instructs the agent to run an included local Python script. This is expected for the benchmark purpose and no suspicious static scan findings were reported, but users should know code execution is part of the workflow.
python skills/platform/docs/alicloud-platform-multicloud-docs-api-benchmark/scripts/benchmark_multicloud_docs_api.py --product "<product keyword>"
Run it only in an environment where local script execution and outbound web requests to documentation/search/API sources are acceptable.