Aliyun Live Manage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for managing Alibaba Cloud live-video resources, but users should notice that it can use Alibaba Cloud credentials and perform real cloud changes.
Install only if you intend to let the agent manage Alibaba Cloud ApsaraVideo Live resources. Use scoped temporary credentials, confirm every write or deletion target, and review the generated output files for sensitive operational details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with sufficient Alibaba Cloud permissions, the agent could add, delete, forbid, resume, or reconfigure live streaming resources.
The skill explicitly supports mutation operations that can change or disrupt live-video resources, although these actions are aligned with its stated management purpose and the workflow asks for target confirmation and read-only checks first.
Apply change operations with rollback plan... Domain management: `AddLiveDomain`, `DeleteLiveDomain`... Stream control: `ForbidLiveStream`, `ResumeLiveStream`
Use least-privilege RAM or STS credentials, verify the exact region/domain/app/stream, and require explicit approval before destructive or service-impacting changes.
The agent may act with whatever Alibaba Cloud permissions are available in those credentials.
The skill is designed to use Alibaba Cloud credentials from environment variables or the local shared credentials file; this is expected for the integration but gives the agent delegated cloud account authority.
AccessKey Priority: 1) Environment variables: `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` / `ALICLOUD_REGION_ID`. 2) Shared config file: `~/.alibabacloud/credentials`.
Provide temporary, least-privilege credentials limited to the intended Live resources and avoid using broad administrator keys.
Local output files may reveal live domains, stream names, regions, configuration parameters, and API responses.
The skill intentionally persists operational context and API evidence locally, which is useful for auditability but may contain sensitive cloud-resource details.
Save API inventory and operation evidence under `output/aliyun-live-manage/`. Keep region, domain, app/stream, and request parameters in evidence files.
Review generated evidence files, do not store secrets in them, and protect or delete the output directory when it is no longer needed.