ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Security Id Verification Cloudauth

Manage Alibaba Cloud ID Verification (Cloudauth) via OpenAPI/SDK. Use whenever the user is working on identity-verification resource operations, config updat...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 900 · 2 current installs · 2 all-time installs
by@cinience
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, references, and the included script all consistently target Alibaba Cloud Cloudauth OpenAPI metadata and API workflows. The code fetches product API metadata from api.aliyun.com and writes an API list; this is coherent with the stated purpose. However, the registry metadata claims 'Required env vars: none' while the SKILL.md explicitly documents required Alibaba Cloud credentials and shared config — this mismatch is unexpected.
Instruction Scope
Runtime instructions are narrowly scoped to discovering OpenAPI metadata, calling Cloudauth SDK/APIs, and saving artifacts under the skill output directory. The SKILL.md instructs the agent to use environment variables or ~/.alibabacloud/credentials for credentials, to prefer least-privilege credentials, and to save evidence including key parameters (region/resource id/time range). The guidance to save key parameters is reasonable for reproducibility but could cause sensitive identifiers to be written to disk if the agent is not careful; SKILL.md does not explicitly warn against writing secrets to the output directory.
Install Mechanism
There is no install spec — the skill is instruction-only with a small included Python script. The script uses standard library urllib to call api.aliyun.com and writes output under a local output directory. No third-party packages, downloads from unknown URLs, or extract/install steps are present.
!
Credentials
The SKILL.md requires Alibaba Cloud access keys (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET) and optionally ALICLOUD_REGION_ID or ~/.alibabacloud/credentials, but the skill metadata lists no required env vars and no primary credential. That omission is a meaningful incoherence: the skill will reasonably need cloud credentials to perform API calls, yet the registry metadata doesn't declare them. Also the instructions ask to save evidence files that may include region/resource identifiers — avoid saving secrets. Verify you provide only least-privilege credentials and that no credentials are written to the output.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not attempt to modify other skills or system-wide settings. It only writes artifacts under its own output path by instruction.
What to consider before installing
This skill appears to do what it says (discover Cloudauth OpenAPI metadata and help with API workflows), but the registry metadata does not declare the Alibaba Cloud credentials that the SKILL.md requires — that's the main inconsistency. Before installing: (1) confirm the skill source/owner is trusted (owner ID is not a known homepage), (2) be prepared to provide least-privilege Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) or use an appropriate IAM role, (3) avoid placing secrets in the output directory or evidence files (do not save access keys), and (4) consider running the script in an isolated environment or on a machine/account with limited permissions. If you need higher confidence, ask the publisher to update the registry metadata to declare the required env vars and provide a homepage or source repository for auditing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk971t4g8yptqj64kypsgeyqp3d82q8mr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

ID Verification (Cloudauth)

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for ID Verification.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Cloudauth
  • Default API version: 2022-11-25
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-security-id-verification-cloudauth/

Validation

mkdir -p output/alicloud-security-id-verification-cloudauth
for f in skills/security/identity/alicloud-security-id-verification-cloudauth/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-security-id-verification-cloudauth/validate.txt

Pass criteria: command exits 0 and output/alicloud-security-id-verification-cloudauth/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-security-id-verification-cloudauth/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…