Alicloud Platform Openapi Product Api Discovery

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do the advertised Alibaba Cloud product/API discovery, but it uses Alibaba Cloud credentials and can run a large metadata crawl, so users should use least-privilege credentials and filters.

Before installing or running, verify the skill source, install the Alibaba Cloud SDK from a trusted source, use least-privilege temporary Alibaba Cloud credentials, and run the OpenAPI metadata crawl with filters first to control output size and API usage.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

If broad credentials are provided, the scripts run with the account permissions attached to those credentials, even though the included code only shows list/read-style API calls.

Why it was flagged

The workflow uses Alibaba Cloud access keys for product-list API calls. This is purpose-aligned and disclosed, but those credentials are sensitive account authority.

Skill content

Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.

Recommendation

Use a temporary or least-privilege key scoped to the needed read/list APIs, and avoid using administrative credentials.

Note

ASI02: Tool Misuse and Exploitation

What this means

A full run could take time, create a large output tree, or consume API/network quota.

Why it was flagged

The OpenAPI metadata crawl may make many network requests and write many files unless the user scopes it with filters. The artifact discloses this and provides controls.

Skill content

By default this can be large. Use filters for dry runs:

- `OPENAPI_META_MAX_PRODUCTS=10`
- `OPENAPI_META_PRODUCTS=Ecs,Ons`
- `OPENAPI_META_VERSIONS=2014-05-26`

Recommendation

Start with `OPENAPI_META_MAX_PRODUCTS` or explicit product/version filters before running a full catalog crawl.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the wrong or compromised package could affect the environment where the skill is run.

Why it was flagged

The scripts depend on a manually installed, unpinned Python SDK. This is expected for Alibaba Cloud API access, but users should verify the package source and version.

Skill content

Missing SDK. Install: pip install aliyun-python-sdk-core

Recommendation

Install the official Alibaba Cloud SDK in a controlled environment and consider pinning a known-good version.