ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Storage Oss Ossutil

v1.0.3

Alibaba Cloud OSS CLI (ossutil 2.0) skill. Install, configure, and operate OSS from the command line based on the official ossutil overview.

1· 1.2k·4 current·4 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description map directly to the provided documentation and examples for ossutil 2.0. The files (SKILL.md, install references, sources) and the validation script relate to installing, configuring, and using Alibaba Cloud OSS via ossutil; no unrelated services or credentials are requested.
Instruction Scope
SKILL.md stays on-topic: it instructs how to install, configure, and run ossutil, how to set AK/SK via env or config file, how to run list/upload/download/sync, and to save outputs under output/alicloud-storage-oss-ossutil/. The included check_ossutil.py only verifies the presence/version of ossutil and writes a local validate.txt; it does not transmit data externally.
Install Mechanism
There is no automated install spec in the registry, but references/install.md shows curl downloads from gosspublic.alicdn.com (Alibaba's public CDN) and unzip/move into /usr/local/bin. This is proportional for installing a CLI but involves executing network-downloaded binaries — verify official URLs and checksums before running.
Credentials
The skill does not declare required environment variables in the registry metadata, but the docs recommend using ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, and optional ALICLOUD_REGION_ID or a credentials file. Asking the user to provide OSS credentials is expected for this CLI; the guidance to prefer RAM and avoid passing secrets on the command line is appropriate.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. The agent-invocation defaults are standard and appropriate for a tool-integration skill.
Assessment
This skill appears to be a straightforward OSS/ossutil helper. Before installing or running commands: (1) verify the referenced download URLs (gosspublic.alicdn.com) and, if possible, check an official checksum or signature; (2) prefer using Alibaba Cloud RAM users with least privilege and store credentials in a config file or environment variables rather than passing them on the command line; (3) review and run the included check_ossutil.py locally to confirm ossutil availability (it only checks version and writes a local file); (4) run installation steps in a controlled environment (or sandbox) if you do not fully trust the system where you intend to install the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk972n7tph5p3c0ecrc81r0f2fs82qjhp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments