Alicloud Platform Openapi Product Api Discovery
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad credentials are provided, the scripts run with the account permissions attached to those credentials, even though the included code only shows list/read-style API calls.
The workflow uses Alibaba Cloud access keys for product-list API calls. This is purpose-aligned and disclosed, but those credentials are sensitive account authority.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.
Use a temporary or least-privilege key scoped to the needed read/list APIs, and avoid using administrative credentials.
A full run could take time, create a large output tree, or consume API/network quota.
The OpenAPI metadata crawl may make many network requests and write many files unless the user scopes it with filters. The artifact discloses this and provides controls.
By default this can be large. Use filters for dry runs: - `OPENAPI_META_MAX_PRODUCTS=10` - `OPENAPI_META_PRODUCTS=Ecs,Ons` - `OPENAPI_META_VERSIONS=2014-05-26`
Start with `OPENAPI_META_MAX_PRODUCTS` or explicit product/version filters before running a full catalog crawl.
Installing the wrong or compromised package could affect the environment where the skill is run.
The scripts depend on a manually installed, unpinned Python SDK. This is expected for Alibaba Cloud API access, but users should verify the package source and version.
Missing SDK. Install: pip install aliyun-python-sdk-core
Install the official Alibaba Cloud SDK in a controlled environment and consider pinning a known-good version.