ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Esa Manage

v1.0.0

Use when managing Alibaba Cloud ESA — deploy HTML/static sites via Pages, manage Edge Routines (ER) for serverless edge functions, use Edge KV for distribute...

0· 27·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, reference docs, and included scripts consistently implement ESA (Pages, Edge Routine, Edge KV, DNS, cache, analytics). The capability set and files are coherent with the stated purpose.
Instruction Scope
Runtime instructions and code focus on ESA APIs and expected local operations (packaging a folder, uploading zip/html to OSS, calling SDK APIs). The instructions reference reading local directories when deploying static sites (expected for a deploy tool) and call external ESA/OSS endpoints obtained from API responses; there is no indication the instructions ask the agent to read unrelated system files or send data to third-party endpoints.
Install Mechanism
This is an instruction-only skill with no install spec; included Python scripts assume the runtime has the listed Alibaba SDK and requests library but the skill does not fetch arbitrary remote code. No risky download/install URLs are present in the manifest.
!
Credentials
SKILL.md and scripts explicitly require Alibaba AccessKey credentials and SDK credential configuration (and instruct to `pip install` SDK packages), but the skill metadata declares no required environment variables or primary credential. That mismatch means the registry metadata is incomplete: the skill will need IAM credentials (AK/SK or role) to operate, but the platform metadata does not declare or gate those credentials. Users should assume the skill requires an Alibaba RAM AccessKey with permissions for ESA, OSS uploads, DNS/site management, KV, and analytics APIs — privileges that should be scoped to least privilege.
Persistence & Privilege
The skill does not request always:true and contains no install-time hooks or modifications to other skills. It runs via Python scripts that act on API services; there is no evidence it persists itself or modifies system-wide agent settings.
What to consider before installing
This skill appears to do what it says (manage Alibaba ESA), but the registry metadata fails to declare the credential requirements. Before installing: 1) Expect to supply an Alibaba AccessKey (AK/SK) or role with scoped ESA/OSS/DNS/KV permissions — do not use root account credentials. 2) Review the included Python scripts (they package local folders and POST to OSS using upload signatures returned by the API) and confirm you are comfortable running them in your environment. 3) If you will let the agent invoke this skill autonomously, restrict the provided credentials to least-privilege IAM policies (only ESA/OSS/APIs required). 4) Consider running deployments from an isolated environment or CI runner and audit network activity during first runs. If you want to proceed, ask the publisher to update the skill metadata to declare required env vars/primary credential so the platform can enforce credential gating.

Like a lobster shell, security has layers — review code before you run it.

latestvk979sb7214yhq8n5hfze7z2nss843nqm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments