Alicloud Security Cloudfw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alicloud-security-cloudfw Version: 1.0.3 The skill bundle is a legitimate tool for managing Alibaba Cloud Firewall (Cloudfw) via official OpenAPI metadata. The primary script, `scripts/list_openapi_meta_apis.py`, safely fetches API documentation from Alibaba Cloud's official metadata endpoint (api.aliyun.com) and saves it locally for the agent's reference, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with broad permissions, the agent could create or modify cloud firewall policies and resources as part of a requested task.
The skill explicitly supports mutating Alibaba Cloud Firewall resources. This is expected for the stated purpose, but firewall changes can affect production access and security posture.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Use least-privilege Alibaba Cloud permissions, review planned mutations before execution, and verify results with describe/list APIs as the skill recommends.
The agent may use configured Alibaba Cloud credentials to act in the associated cloud account.
The skill instructs use of Alibaba Cloud credentials, including a local shared credentials file. This is purpose-aligned for Cloud Firewall management, but it is sensitive account authority and the registry metadata lists no primary credential.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Provide a dedicated least-privilege credential limited to the needed Cloudfw operations and confirm which account, region, and resources will be affected.