Aliyun Devops Manage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for Alibaba Cloud DevOps inventory and cautious change planning, but users should notice that it uses cloud credentials, installs SDK packages, and saves DevOps outputs locally.
Install only if you intend to manage Alibaba Cloud DevOps resources. Use a virtual environment, pin or verify SDK dependencies, provide least-privilege Alibaba credentials, keep outputs private, and require explicit approval plus a rollback plan before any mutating DevOps operation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If high-privilege credentials are used, the agent could inspect or potentially help perform changes across Alibaba DevOps resources.
The skill requires Alibaba Cloud credentials to call DevOps APIs. This is expected for the integration, but cloud credentials can grant broad account authority if not scoped carefully.
Configure least-privilege Alibaba Cloud credentials... `ALICLOUD_ACCESS_KEY_ID` ... `ALICLOUD_ACCESS_KEY_SECRET` ... Shared credentials file: `~/.alibabacloud/credentials`
Use temporary or least-privilege credentials limited to the intended organization/project and prefer read-only permissions unless a specific approved change is needed.
Approved mutation workflows could create or change projects, repositories, pipelines, work items, or pipeline runs.
The documentation includes high-impact DevOps mutation operations, but it also requires owner confirmation and rollback planning before use.
Run mutating APIs only after rollback and owner confirmation... `CreateProject`, `UpdateProject`, `CreateRepository`, `CreateMergeRequest`, `CreatePipeline`, `RunPipeline`
Keep the default workflow read-only, and require explicit user approval, exact resource IDs, a rollback plan, and post-change validation before any Create/Update/Run/Stop operation.
Future package updates could change behavior or introduce dependency risk.
The skill asks users to install external SDK packages without pinning exact versions. This is normal for an SDK-based integration but leaves package version/provenance to the user.
python -m pip install -U alibabacloud_devops20210625 alibabacloud_tea_openapi
Install in a virtual environment, pin known-good package versions where possible, and use trusted package indexes.
Local output files could expose internal DevOps inventory if shared, committed, or reused in later agent sessions.
The skill intentionally stores API outputs locally. These files may include internal organization, project, repository, pipeline, creator, or request metadata.
Save artifacts, command outputs, and API response summaries under `output/aliyun-devops-manage/`.
Review outputs before sharing, keep them out of source control, and delete them when no longer needed.