ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Alb Manage

v1.0.0

Use when managing and troubleshoot Alibaba Cloud ALB (Application Load Balancer), including the user asks to inspect, create, change, or debug ALB instances,...

0· 11·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included Python scripts (create/list/update/delete ALB resources). The code uses the Alibaba Cloud ALB SDK and calls ALB API endpoints as expected, so the functionality aligns with the stated purpose. However, the registry metadata lists no required environment variables or credentials while the scripts and SKILL.md both require Alibaba Cloud credentials and a shared config file — this is an important inconsistency.
!
Instruction Scope
SKILL.md instructs installing specific Python packages, running multiple scripts, and using environment variables or ~/.alibabacloud/credentials for credentials. The validation snippet references a path 'skills/network/slb/aliyun-alb-manage/scripts/*.py' which does not match the provided manifest organization (scripts/*.py), indicating sloppy or incorrect runtime instructions. The runtime instructions direct the agent to read environment credentials and to save outputs locally under output/aliyun-alb-manage/ (expected), but they also assume the presence of credentials without the registry declaring them.
!
Install Mechanism
There is no formal install specification in the registry, but SKILL.md asks the user/agent to pip install alibabacloud_alb20200616, alibabacloud_tea_openapi, and alibabacloud_credentials. Installing from PyPI is normal for Python tools, but the lack of an install spec in the package metadata means the runtime may fail or do unexpected installs. No remote download URLs or obfuscated installers were found in the provided files (good).
!
Credentials
The scripts require Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET or ALIBABA_CLOUD_... alternates and optional security token) and implicitly the shared credentials file; these are reasonable for ALB management. However, the registry metadata declares no required env vars or config paths — an incoherence. Multiple environment variable names are accepted (ALICLOUD_* and ALIBABA_CLOUD_*), which is reasonable for compatibility but should be explicitly declared so users know what secrets will be accessed.
Persistence & Privilege
The skill is not marked always:true and does not request persistent/system-wide privileges. Scripts write outputs to a local output/ directory and rely on normal SDK credential resolution; they do not attempt to modify other skill configs or set themselves as always-enabled. Autonomous invocation is allowed by default but is not combined with other high-risk indicators here.
What to consider before installing
This package implements real Alibaba Cloud ALB management scripts and will need valid Alibaba Cloud credentials to operate. Before installing or granting it access: 1) Inspect the scripts (you already have them) and confirm they only call Alibaba SDK APIs (they do). 2) Provide credentials with least privilege (create an IAM user/role limited to ALB actions) and prefer a temporary STS token rather than long-lived keys. 3) Run the provided validation (py_compile) and run scripts in an isolated environment or sandboxed runner. 4) Note the SKILL.md asks you to pip install dependencies — prefer reviewing and pinning package versions, and install into a virtualenv. 5) Ask the publisher to update registry metadata to explicitly declare required env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_SECURITY_TOKEN) and the config path (~/.alibabacloud/credentials) and to fix the validation path inconsistency. If you cannot get these clarifications, treat the skill as untrusted until you can run it in a controlled environment with scoped credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97enq0cq1qs114p78ry3hstxn842nhr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

Application Load Balancer (ALB)

Use this skill for end-to-end ALB operations via local Python scripts and OpenAPI-compatible workflows.

Validation

mkdir -p output/aliyun-alb-manage
for f in skills/network/slb/aliyun-alb-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-alb-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-alb-manage/validate.txt is generated.

Output And Evidence

  • Save all command outputs, request parameters, and API responses under output/aliyun-alb-manage/.
  • For change operations, keep before/after snapshots plus health-check results.

Prerequisites

pip install alibabacloud_alb20200616 alibabacloud_tea_openapi alibabacloud_credentials

Credential priority:

  1. ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET
  2. Optional STS token: ALICLOUD_SECURITY_TOKEN
  3. Shared config: ~/.alibabacloud/credentials

Workflow

  1. Confirm region, VPC context, target ALB resource IDs, and expected change window.
  2. Run inventory scripts first (list_*, get_*) and save baseline outputs.
  3. Apply one change at a time (listener/server-group/rule/lb lifecycle).
  4. Wait for async completion when needed (scripts/wait_for_job.py).
  5. Validate final state with health checks and state re-query.

Top task playbooks

1) Read-only inventory and quick diagnosis

python3 scripts/list_instances.py --region cn-hangzhou --json --output output/aliyun-alb-manage/instances.json
python3 scripts/list_server_groups.py --region cn-hangzhou --json --output output/aliyun-alb-manage/server-groups.json
python3 scripts/list_acls.py --region cn-hangzhou --json --output output/aliyun-alb-manage/acls.json

2) Inspect one ALB and listener details

python3 scripts/get_instance_status.py --region cn-hangzhou --lb-id alb-xxx --view detail --output output/aliyun-alb-manage/lb-detail.json
python3 scripts/list_listeners.py --region cn-hangzhou --lb-id alb-xxx --json --output output/aliyun-alb-manage/listeners.json
python3 scripts/get_listener_attribute.py --region cn-hangzhou --listener-id lsn-xxx --output output/aliyun-alb-manage/listener-attr.json

3) Validate traffic path health

python3 scripts/check_health_status.py --region cn-hangzhou --listener-id lsn-xxx --output output/aliyun-alb-manage/health.json
python3 scripts/list_server_group_servers.py --region cn-hangzhou --server-group-id sgp-xxx --output output/aliyun-alb-manage/server-group-members.json

4) Controlled change flow (example: update listener)

python3 scripts/update_listener.py --region cn-hangzhou --listener-id lsn-xxx --request-timeout 120 --output output/aliyun-alb-manage/update-listener.json
python3 scripts/check_health_status.py --region cn-hangzhou --listener-id lsn-xxx --output output/aliyun-alb-manage/health-after-update.json

5) Resource lifecycle operations

  • ALB lifecycle: create_load_balancer.py, delete_load_balancer.py, deletion_protection.py
  • Listener lifecycle: create_listener.py, start_listener.py, stop_listener.py, delete_listener.py
  • Server-group lifecycle: create_server_group.py, add_servers.py, remove_servers.py, delete_server_group.py
  • Rule lifecycle: create_rule.py, update_rule.py, delete_rule.py

References

  • API quick map: references/api_quick_map.md
  • Script catalog: references/scripts_catalog.md
  • Troubleshooting: references/troubleshooting.md
  • Logs and analysis: references/log-analysis.md
  • Dependencies/order: references/resource-dependencies.md
  • Sources: references/sources.md

Files

36 total
Select a file
Select a file to preview.

Comments

Loading comments…