ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Airec Manage

v1.0.0

Use when managing Alibaba Cloud AIRec (Airec) via OpenAPI/SDK, including the user needs recommendation-engine resource operations in Alibaba Cloud, including...

0· 7·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is described as an AIRec manager (cloud resource operations), which legitimately may need Alibaba Cloud credentials. However, the published metadata lists no required environment variables or primary credential while SKILL.md explicitly prioritizes ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and a shared config file (~/.alibabacloud/credentials). The omission in the metadata is an incoherence: either the skill should declare the credentials it needs, or it should not prompt for them.
Instruction Scope
SKILL.md instructs the agent to discover APIs, call SDK/OpenAPI, and verify results. It explicitly prioritizes env vars and mentions the shared credentials file path. The included Python script only fetches public OpenAPI metadata from api.aliyun.com and writes files under output/aliyun-airec-manage/, which is consistent with discovery. Still, the instructions could lead the agent to perform authenticated mutating operations (create/update) that would require credentials and access to the user's account; those actions are not gated by declared requirements.
Install Mechanism
No install spec is present; this is an instruction-only skill plus a small script. The script uses standard Python libraries and fetches metadata over HTTPS from a documented Alibaba endpoint. No downloads or archive extraction are used.
!
Credentials
SKILL.md asks for environment variables (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and references ~/.alibabacloud/credentials, but the skill metadata lists no required env vars or primary credential. That discrepancy is risky because the agent or user could be prompted to supply sensitive access keys that were not declared at install time. The script itself does not use these env vars, but the runtime instructions expect them for authenticated operations.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. It writes outputs under a skill-specific output directory. Autonomous invocation is allowed (platform default), which increases risk if credentials are provided, but this by itself is expected for skills.
What to consider before installing
This skill appears to be what it says (an Alibaba AIRec management helper) but the published metadata fails to declare the credentials the instructions expect. Before installing or running it: - Don't paste or upload long-lived Alibaba Cloud access keys until you verify the author and intent. Prefer using a short-lived, least-privilege IAM role scoped to only the Airec actions needed. - Inspect the SKILL.md and the included script locally (you already have the files). The script fetches public API metadata from api.aliyun.com and writes to output/aliyun-airec-manage/ — that is normal. But authenticated SDK calls (create/update) would require credentials and could modify your cloud resources. - Ask the publisher to update the registry metadata to declare required env vars (ALICLOUD_ACCESS_KEY_ID/SECRET/REGION) and to justify any mutating operations; request a detailed list of APIs the skill will call for mutating actions. - If you must test: run the discovery script in an isolated environment (no real credentials) to confirm behavior, and only provide credentials with least privilege and limited lifetime when you trust the skill. If the author cannot explain the metadata/credential mismatch, treat the skill with extra caution (do not supply admin or broad-scope keys).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a836z502h36ev866h7b09q18401xh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

AIRec

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for AIRec.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Airec
  • Default API version: 2020-11-26
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/aliyun-airec-manage/

Validation

mkdir -p output/aliyun-airec-manage
for f in skills/ai/recommendation/aliyun-airec-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-airec-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-airec-manage/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-airec-manage/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…