ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Hbr Backup

v1.0.0

Use when managing Alibaba Cloud Cloud Backup (HBR) via OpenAPI/SDK, including the user asks for backup lifecycle operations such as resource listing, policy/...

0· 8·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the included instructions and script: this is an Alibaba Cloud HBR/OpenAPI helper. Requesting Alibaba Cloud credentials is reasonable for this purpose. However, the published metadata lists no required env vars or primary credential even though the SKILL.md explicitly instructs using ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and a shared credentials file; that mismatch is an inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to discover APIs, call SDK/OpenAPI Explorer, and save artifacts (including key parameters like region/resource id/time range) under output/aliyun-hbr-backup/. It also sets an access-key priority (env vars and ~/.alibabacloud/credentials). The included script only fetches public OpenAPI metadata (no credential use), but the prose grants the agent broad discretion to call SDKs and perform mutating operations — and to write potentially sensitive evidence to disk. The instructions do not limit which APIs may be called or require explicit user confirmation before mutations, except a generic 'ask the user' for unclear regions.
Install Mechanism
This is instruction-only with a small included Python script. There is no installer that downloads or executes remote archives and no extra dependencies declared. Low install risk.
!
Credentials
The SKILL.md explicitly expects Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and references ~/.alibabacloud/credentials, which are proportional to the stated purpose. But the skill metadata lists no required env vars or primary credential — an omission that makes it unclear how the skill will request or handle credentials at install/runtime. The instruction to include key parameters in output files could expose identifiers alongside API responses; users should ensure least-privilege and consider use of temporary, scoped credentials.
Persistence & Privilege
The skill is not force-included (always:false) and does not request elevated platform-wide privileges. It writes artifacts to an output directory under the skill workspace (normal). It does not modify other skills or global agent configuration.
What to consider before installing
This skill appears to implement what it claims (HBR/OpenAPI helper) but the manifest fails to declare the Alibaba Cloud credentials the instructions require. Before installing or running it: - Treat it as needing Alibaba Cloud credentials. Only provide least-privilege credentials (temporary/limited IAM keys) scoped to HBR operations. - Confirm how your agent runtime will supply credentials (env vars, shared config) because the package metadata does not declare them — that affects prompts and automation behavior. - Inspect any agent prompts or logs that might write sensitive identifiers or credentials to output/aliyun-hbr-backup/ and ensure that directory is secure or isolated. - If you plan to allow automatic (agent-invoked) mutating operations, require an explicit user confirmation step for any Create/Update/Delete actions. - If you need stronger assurance, run the included script in a sandbox first (it only fetches public API metadata) and review any additional code the agent would run to perform SDK/API calls. I have medium confidence in this assessment because the package is small and readable, but the metadata/instructions mismatch leaves ambiguity about how credentials will be handled at runtime; clarifying that would raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdd2hr1t7m2ta9r7pw2zdhs8415xm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

Cloud Backup

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Cloud Backup.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: hbr
  • Default API version: 2017-09-08
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/aliyun-hbr-backup/

Validation

mkdir -p output/aliyun-hbr-backup
for f in skills/backup/aliyun-hbr-backup/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-hbr-backup/validate.txt

Pass criteria: command exits 0 and output/aliyun-hbr-backup/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-hbr-backup/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…