Alicloud Security Center Sas
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-security-center-sas Version: 1.0.3 The skill bundle is a legitimate tool for managing Alibaba Cloud Security Center (Sas) via its official OpenAPI. The included Python script (scripts/list_openapi_meta_apis.py) fetches public API metadata from official Alibaba Cloud endpoints (api.aliyun.com) and saves it locally for discovery purposes. While the instructions (SKILL.md) guide the agent to use sensitive credentials (ALICLOUD_ACCESS_KEY_ID), this is standard practice for cloud management tools, and there is no evidence of data exfiltration, malicious execution, or unauthorized access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with sufficient Alibaba Cloud permissions, the agent may change Security Center settings or resources.
The skill explicitly covers mutating Alibaba Cloud Security Center operations. This is purpose-aligned, but those actions can change security configuration or resources.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Use read/list APIs first, confirm the exact region, resource ID, and intended change, and use least-privilege credentials.
The agent can act with the permissions of the configured Alibaba Cloud credentials.
The skill instructs the agent to use Alibaba Cloud credentials from environment variables or a local credentials file. This is expected for Alibaba Cloud management, but it grants delegated cloud account authority.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Provide a dedicated, least-privilege AccessKey limited to the needed Security Center actions and avoid using broad administrator credentials.
Security-related cloud details may remain on disk after the task completes.
The skill stores local artifacts that may include Security Center resource identifiers or response summaries. This is disclosed and scoped, but users should treat those files as potentially sensitive.
Save artifacts, command outputs, and API response summaries under `output/alicloud-security-center-sas/`. Include key parameters (region/resource id/time range) in evidence files for reproducibility.
Review generated output files before sharing them and delete or redact them if they contain sensitive resource or security information.