Alicloud Platform Openapi Product Api Discovery
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-platform-openapi-product-api-discovery Version: 1.0.2 This skill bundle is a legitimate tool for discovering Alibaba Cloud product catalogs and API metadata to assist in skill development. The scripts (e.g., products_from_bssopenapi.py, apis_from_openapi_meta.py) interact with official Alibaba Cloud endpoints and the aliyun-python-sdk-core to fetch service information. While the tool requires sensitive cloud credentials, the code logic is transparent, lacks obfuscation, and shows no signs of data exfiltration or malicious intent. The workflow is consistent with the stated purpose of mapping cloud services and identifying gaps in existing skill coverage.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad credentials are provided, the scripts run with the account permissions attached to those credentials, even though the included code only shows list/read-style API calls.
The workflow uses Alibaba Cloud access keys for product-list API calls. This is purpose-aligned and disclosed, but those credentials are sensitive account authority.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.
Use a temporary or least-privilege key scoped to the needed read/list APIs, and avoid using administrative credentials.
A full run could take time, create a large output tree, or consume API/network quota.
The OpenAPI metadata crawl may make many network requests and write many files unless the user scopes it with filters. The artifact discloses this and provides controls.
By default this can be large. Use filters for dry runs: - `OPENAPI_META_MAX_PRODUCTS=10` - `OPENAPI_META_PRODUCTS=Ecs,Ons` - `OPENAPI_META_VERSIONS=2014-05-26`
Start with `OPENAPI_META_MAX_PRODUCTS` or explicit product/version filters before running a full catalog crawl.
Installing the wrong or compromised package could affect the environment where the skill is run.
The scripts depend on a manually installed, unpinned Python SDK. This is expected for Alibaba Cloud API access, but users should verify the package source and version.
Missing SDK. Install: pip install aliyun-python-sdk-core
Install the official Alibaba Cloud SDK in a controlled environment and consider pinning a known-good version.