Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aliyun Cloudauth Verify
v1.0.0Use when managing Alibaba Cloud ID Verification (Cloudauth) via OpenAPI/SDK, including the user is working on identity-verification resource operations, conf...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included script all focus on Alibaba Cloud Cloudauth API discovery and management; the provided Python script fetches OpenAPI metadata from api.aliyun.com which is coherent with the stated purpose. Note: the skill's registry metadata lists no required env vars/credentials, but the SKILL.md explicitly expects Alibaba Cloud access keys and a shared config file — a documentation/metadata mismatch.
Instruction Scope
SKILL.md instructs the agent to prefer environment variables (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / optional ALICLOUD_REGION_ID) and to fall back to ~/.alibabacloud/credentials. This is reasonable for a cloud-management skill, but it means the agent will access local credentials/config files and may choose a region if the user doesn't provide one; that discretion is somewhat open-ended and should be limited for mutating operations (the doc does advise asking the user before mutating).
Install Mechanism
No install spec; skill is instruction-only with a small included Python script. No external downloads or package installs are performed by the skill itself, which keeps install risk low. The script makes network requests to official api.aliyun.com endpoints — expected for API discovery.
Credentials
The skill requires access to sensitive Alibaba Cloud credentials and a local credentials file according to SKILL.md, but the registry metadata lists no required environment variables or primary credential. Failing to declare these sensitive requirements is a meaningful omission: users and the platform should be aware this skill will access secrets and a home-directory config file.
Persistence & Privilege
always is false, the skill does not request persistent/autonomous elevated privileges, and it does not modify other skills or system-wide config. It writes artifacts only under an output/ subdirectory as described.
What to consider before installing
This skill appears to do what it says (fetch Cloudauth OpenAPI metadata) and the Python script is small and straightforward, but the SKILL.md expects your Alibaba Cloud access keys or a ~/.alibabacloud/credentials file even though the registry metadata does not declare any required credentials. Before installing or running it: (1) Inspect the script and SKILL.md yourself (you already have them) — the script only fetches metadata from api.aliyun.com. (2) Only provide Alibaba Cloud credentials with least-privilege keys and prefer using temporary or scoped credentials. (3) If you don't want the agent to access credentials autonomously, avoid enabling autonomous invocation or run the script manually in a controlled environment. (4) Ask the publisher (or require an updated registry entry) to explicitly declare required env vars/primary credential so the platform can surface the sensitive requirement to users.Like a lobster shell, security has layers — review code before you run it.
latestvk972x73w3cfdzkxfse6agw9grd843e52
License
MIT-0
Free to use, modify, and redistribute. No attribution required.