Alicloud Security Kms
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Alibaba KMS management skill, but it can use local Alibaba Cloud credentials for high-impact key and policy changes while the registry metadata does not declare those credentials.
Use this only if you intend the agent to manage Alibaba Cloud KMS. Provide least-privilege credentials, avoid broad admin AccessKeys, confirm the exact account/region/resource/action before any mutation, and review or clean up saved outputs afterward.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad Alibaba Cloud credentials are available, the agent may be able to change KMS keys, policies, or related resources in the user's cloud account.
The skill instructs the agent to use Alibaba Cloud credentials, including a local shared credential profile, for KMS operations. The registry metadata separately says there are no required env vars, primary credential, or config paths, so this high-impact credential boundary is under-declared.
AccessKey priority (must follow) ... Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Declare the credential and config-file requirements in metadata, use a least-privilege Alibaba Cloud RAM user/role, and require explicit confirmation of account, region, resource, and mutation before any KMS change.
A mistaken or overly broad operation could alter important KMS configuration or access controls.
The skill intentionally supports broad KMS mutation APIs. This is purpose-aligned, but KMS mutations can affect encryption keys, access policies, and service availability.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Use read-only discovery first, then approve each mutating operation with the exact API, region, resource ID, and expected effect.
KMS metadata or operation results may remain in the workspace after the task and could be read later by users or tools with workspace access.
The skill stores API discovery and operation outputs locally. These files may contain cloud resource names, identifiers, policies, or troubleshooting details that should be treated as sensitive.
Save KMS API discovery outputs and operation results in `output/alicloud-security-kms/`.
Review saved outputs, avoid storing secrets or unnecessary response fields, and delete the output directory when the evidence is no longer needed.