Aliyun Hbr Backup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for Alibaba Cloud Backup management, but it can use your Alibaba Cloud credentials and make cloud changes, so use least-privilege access and confirm actions before running it.
Before installing, make sure you are comfortable letting the agent use Alibaba Cloud credentials for HBR tasks. Use least-privilege keys, confirm region and resource IDs before any change, and review generated files under output/aliyun-hbr-backup/ before sharing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make real changes in your Alibaba Cloud backup environment if you ask it to perform configuration or lifecycle operations.
The skill explicitly supports mutating Alibaba Cloud Backup resources. This is aligned with its management purpose, but those API calls can change backup policies or configurations.
Change/configure: prefer `Create*` / `Update*` / `Modify*` / `Set*` APIs for mutations.
Use this skill only with clear task instructions, confirm the exact resource and region before mutations, and prefer read-only/list operations unless a change is intentional.
If broad Alibaba Cloud credentials are available, the agent could perform more HBR actions than intended.
The skill tells the agent to use Alibaba Cloud credentials from environment variables or a local shared credentials file. This is expected for cloud API management, but those credentials may grant account-level authority.
Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID` ... Shared config file: `~/.alibabacloud/credentials`
Provide least-privilege Alibaba Cloud credentials scoped to the needed HBR actions and region, and avoid using administrator keys.
Running the helper script will contact api.aliyun.com and create files in the selected output directory.
The helper script performs a network request to Alibaba Cloud OpenAPI metadata and writes the returned metadata to local files. This matches the documented quickstart and does not show hidden execution.
url = (f"https://api.aliyun.com/meta/v1/products/{args.product_code}" ...); payload = fetch_json(url, timeout); json_file.write_text(...)Run the script only from a trusted working directory and review any generated output before sharing it.
Generated files may reveal details about your Alibaba Cloud backup resources or operations to anyone with access to the workspace.
The skill instructs the agent to persist outputs and operational context locally. This is useful for evidence, but those files may contain cloud resource identifiers or operational details.
Save artifacts, command outputs, and API response summaries under `output/aliyun-hbr-backup/`. Include key parameters (region/resource id/time range) in evidence files for reproducibility.
Check generated files for sensitive resource names, IDs, or operational details before sharing or committing them, and delete them when no longer needed.