Aliyun Chatbot Manage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for managing Alibaba Cloud Chatbot resources, but it uses Alibaba Cloud credentials and can make account-changing API calls when the user directs it.
Install only if you intend the agent to help administer Alibaba Cloud Chatbot resources. Before use, configure a narrowly scoped Alibaba Cloud credential, confirm the active region and resource IDs, require explicit approval for changes, and review saved output files before sharing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured Alibaba Cloud credentials are over-privileged, the agent could read or change more cloud resources than intended.
The skill expects Alibaba Cloud credentials or a local shared credentials profile. This is purpose-aligned for cloud management, but those credentials may grant broad account authority.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Use a least-privilege Alibaba Cloud RAM user or role limited to the needed Chatbot APIs, verify the active account and region, and avoid exposing access keys in saved outputs.
A mistaken or overbroad API call could create, update, or modify chatbot configuration in the user's Alibaba Cloud account.
The skill explicitly supports mutating Alibaba Cloud Chatbot resources through OpenAPI/SDK calls. This matches the management purpose, but the impact depends on the chosen API and parameters.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Require clear user confirmation for mutating calls, review region/resource IDs and parameters before execution, and verify results with read-only describe/list APIs afterward.
Local output files may reveal cloud resource names, IDs, regions, time ranges, or configuration summaries if shared or committed accidentally.
The skill persists local evidence files and API summaries. This is useful for reproducibility, but those files may contain operational details or resource identifiers.
Save artifacts, command outputs, and API response summaries under `output/aliyun-chatbot-manage/`. Include key parameters (region/resource id/time range) in evidence files
Review and redact saved outputs before sharing them, and avoid storing secrets or full credential-bearing responses in the output directory.
Running the helper performs an outbound request to Alibaba's OpenAPI metadata endpoint and creates files under the configured output directory.
The skill includes a user-directed Python helper command. The provided source fetches Alibaba OpenAPI metadata and writes local inventory files, which is aligned with the stated API discovery workflow.
python scripts/list_openapi_meta_apis.py
Run the helper only when API discovery is needed, keep the default output directory unless you intentionally choose another location, and inspect generated files if they will be shared.