ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Cli Manage

v1.0.0

Use when users need command-line operations on Alibaba Cloud resources (list/query/create/update/delete), credential/profile setup, region/endpoint selection...

0· 33·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage Alibaba Cloud via the aliyun CLI) match the included script and SKILL.md. The script's behavior (detect, download official package, install, run version) is appropriate for a CLI management skill.
Instruction Scope
SKILL.md tells the agent to validate, run the bundled ensure_aliyun_cli.py, configure credentials, run aliyun help and read-only queries before mutating actions, and save outputs to a local output directory. The instructions do not ask for unrelated files, hostnames, or other service credentials.
Install Mechanism
The script downloads and extracts an archive from https://aliyuncli.alicdn.com (official Alibaba CDN) and copies the contained 'aliyun' binary into a user-specified or default install dir (~/.local/bin) or overwrites an existing writable 'aliyun' in PATH. Download+extract is necessary for this purpose but carries the usual risks: the script does not perform signature/checksum verification of the downloaded archive.
Credentials
The skill does not declare required secrets; the SKILL.md recommends providing Alibaba Cloud credentials (AK/SK or env vars) which is proportional to a cloud CLI tool. The only environment variables the script reads are for update controls (check interval, force update, min version, install dir). There are no unrelated credentials requested.
Persistence & Privilege
The skill writes a state file (~/.cache/aliyun-cli-manage/state.json) and installs/updates a binary in a user directory (default ~/.local/bin) or an existing writable PATH location. It does not request system-wide 'always: true' privileges or modify other skills, but it will modify the local filesystem and potentially overwrite an existing aliyun binary if writable.
Assessment
This skill behaves like a normal CLI helper: it will download and install the official aliyun CLI binary and then run aliyun commands. Before installing, consider: (1) verify the download URL (the script uses aliyuncli.alicdn.com, Alibaba's CDN) and run the script in a safe environment if you have concerns; (2) the script does not verify archive signatures — if you need stronger assurance, download and verify the release manually and pass --binary-path to the script; (3) it will write a state file to ~/.cache/aliyun-cli-manage and install to ~/.local/bin by default (you can override via env or args); (4) provide least-privilege Alibaba credentials and review command parameters before allowing mutating operations; (5) if you want to avoid any automatic changes to your system binary, run the tool in an isolated/containerized environment or invoke the script with --binary-path pointing to a controlled location.

Like a lobster shell, security has layers — review code before you run it.

latestvk976x6qf6ytejcrspdbfwq39wx842gr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments