Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aliyun Dns Cli
v1.0.0Use when you need to query, add, and update DNS records via aliyun-cli, including CNAME setup for Function Compute custom domains.
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description align with managing Alidns records via aliyun-cli. However, the published metadata declares no required environment variables or primary credential, while the SKILL.md clearly requires Alibaba Cloud Access Key ID/Secret (and suggests ALICLOUD_* env vars). The metadata omission is an incoherence: a DNS-management skill legitimately needs credentials and should declare them.
Instruction Scope
Runtime instructions are focused on installing aliyun-cli, configuring credentials, and calling the expected Alidns CLI commands. They do not appear to request unrelated files or external endpoints. However, they instruct storing credentials (via 'aliyun configure set' or env vars) and writing artifacts under the user's home (~/ .local/bin and output/aliyun-dns-cli), and these actions are not reflected in the declared requirements — that scope mismatch is a concern.
Install Mechanism
The install uses curl to fetch an archive from aliyuncli.alicdn.com (Alibaba's CDN) and extracts/moves it into ~/.local/bin. Using the official CDN is expected for aliyun-cli; extraction and installation into the user's home is normal for a user-level installation. Still, any install-from-URL step writes executable code to disk and should be reviewed before running.
Credentials
The skill requires access keys (AK/SK) to operate, which is proportionate to DNS management. The problem is the metadata does not declare these env vars or a primary credential, so consumers may not realize sensitive credentials are needed or will be persisted by the CLI. The SKILL.md does correctly recommend least-privilege credentials and suggests using environment variables, but the omission from registry metadata is misleading.
Persistence & Privilege
The skill is instruction-only and not always-enabled. It instructs the agent/user to install a binary into ~/.local/bin and to run the aliyun CLI configure command, which will create local credential/config files. This is expected for a CLI-based integration but does result in persistent binaries and stored credentials in the user's home directory.
What to consider before installing
This skill's actions (install aliyun-cli, set AK/SK, run Alidns commands) are coherent for DNS management, but the registry metadata failing to declare required credentials is a red flag. Before installing or running: 1) Verify the download URL (aliyuncli.alicdn.com) and prefer official install docs or package manager alternatives. 2) Use least-privilege Alibaba Cloud keys, create a dedicated short-lived key for this task if possible. 3) Prefer providing credentials via environment variables (ALICLOUD_ACCESS_KEY_ID/SECRET) rather than embedding them in persistent config, and inspect any created files under ~/.local/bin and the CLI config. 4) Ask the publisher to update the skill metadata to declare required env vars/credentials. If you do not trust the source, do not run the curl+install steps.Like a lobster shell, security has layers — review code before you run it.
latestvk97etb0d3fv26ncx4qeywh4has843r4x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.