Aliyun Cdn Manage
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent Alibaba Cloud CDN management helper, but users should treat it as high-impact because it can guide CDN changes using cloud credentials.
This skill appears benign and purpose-aligned, but use it carefully because CDN changes can affect live traffic. Before installing or invoking it, verify the publisher, use temporary least-privilege Alibaba Cloud credentials, confirm the exact domains and region, require approval for any mutating API call, and review generated output files before sharing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended operation could disrupt CDN domains, cache behavior, HTTPS certificates, or production traffic.
The skill openly covers mutating Alibaba Cloud CDN APIs, including domain deletion and certificate changes. This is expected for CDN management but can affect live services if run against the wrong domain or without approval.
Execute mutating APIs (`Add*`/`Set*`/`BatchSet*`/`Delete*`) ... Domain management:`AddCdnDomain` ... `DeleteCdnDomain` ... HTTPS certificate: `SetDomainServerCertificate`
Use least-privilege RAM/STS credentials, confirm the exact domain, region, change window, and rollback plan, and require explicit user approval before any Add/Set/BatchSet/Delete or cache-preload/refresh action.
If broad cloud credentials are used, the agent may have more Alibaba Cloud authority than needed for the requested CDN task.
The skill may use Alibaba Cloud account credentials from environment variables or the local shared credentials file. This is purpose-aligned, but it is sensitive authority and the registry metadata lists no primary credential or required environment variables.
AccessKey Priority ... Environment variables:`ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared credentials file:`~/.alibabacloud/credentials`
Provide temporary STS credentials or a RAM user/role limited to the exact CDN read/write actions and resources needed; verify the active credential profile before running.
Users have less external context for who maintains the skill or where updates come from.
The registry metadata does not provide a source repository or homepage. The included code is simple and clean in the supplied artifacts, but provenance is limited.
Source: unknown Homepage: none
Review the included files before use and install only if you trust the publisher, especially because the skill is intended to operate with cloud credentials.
Local output files may reveal infrastructure details or operational history to anyone with access to the workspace.
The skill stores operational evidence locally. This is disclosed and useful for auditability, but the saved files may contain cloud resource identifiers, time ranges, or CDN log/monitoring summaries.
Save artifacts, command outputs, and API response summaries under `output/aliyun-cdn-manage/`. - Include key parameters (region/resource id/time range) in evidence files
Review generated evidence files before sharing, and avoid storing secrets or full sensitive logs in output artifacts.