Aliyun Mps Manage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Alibaba Cloud MPS management helper, but it can use your cloud credentials to make real media-processing changes and stores operation evidence locally.
This skill appears safe for its stated purpose if you intend to manage Alibaba Cloud MPS. Before use, provide only scoped RAM/STS credentials, confirm the exact region and buckets, require approval for write/delete operations, and review or clean the local output/aliyun-mps-manage evidence files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with write permissions, the agent could submit jobs, change templates/workflows, bind buckets, or delete media, potentially causing service changes, data impact, or costs.
The skill explicitly covers mutating Alibaba Cloud MPS operations, including deleting media and binding buckets. This is aligned with the stated management purpose but can materially change cloud resources.
Media and bucket management: `AddMedia`, `UpdateMedia`, `DeleteMedia`, `BindInputBucket`, `BindOutputBucket`
Use read-only discovery first, specify exact regions/buckets/media IDs, and require explicit confirmation before any write, delete, bind, or job-submission action.
Over-scoped or production credentials could let the agent make broader Alibaba Cloud changes than intended.
The skill instructs use of Alibaba Cloud credentials from environment variables or the local shared credentials file. This is necessary for the cloud-management purpose, but it means actions run with the permissions of those credentials.
AccessKey Priority ... `ALICLOUD_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY_SECRET` ... Shared config file: `~/.alibabacloud/credentials`
Use a least-privilege RAM role or short-lived STS credentials scoped to the intended MPS resources and region; avoid broad admin keys.
Local output files may contain media IDs, bucket locations, workflow identifiers, or request details that reveal sensitive operational information.
The skill asks the agent to persist operational identifiers and request parameters in local evidence files. This is useful for troubleshooting but may expose project or media-processing details if shared.
Keep region, pipeline/template/workflow IDs, media IDs, and request parameters in evidence files.
Keep the output directory private, avoid writing secrets into request parameters, and delete or redact evidence files when no longer needed.