ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Openapi Discovery

v1.0.0

Use when discovering and reconciling Alibaba Cloud product catalogs from Ticket System, Support & Service, and BSS OpenAPI; fetch OpenAPI product/version/API...

0· 9·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The scripts and SKILL.md perform Alibaba Cloud product/API discovery and legitimately require Alibaba Cloud credentials and service endpoints. However, the registry metadata lists no required environment variables or credentials while the SKILL.md and multiple scripts clearly expect ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET (and optional security token/region) and service endpoint vars. That registry vs runtime mismatch is misleading and problematic.
Instruction Scope
Runtime instructions are explicit: run the included Python scripts to call Alibaba metadata and product APIs, write outputs under output/, and provide the required env vars. The instructions do not attempt to read unrelated local files or send data to unknown third-party endpoints — network calls target Alibaba APIs and write local artifacts.
!
Install Mechanism
There is no install spec even though multiple Python scripts import the aliyun SDK (aliyun-python-sdk-core). The package requirement is hinted only by runtime error messages. Lack of a declared install step or dependency list increases friction and risk (users may run without required packages or with unvetted versions). There are no downloads from untrusted URLs, so code-origin risk is moderate rather than high.
!
Credentials
The credentials requested by the scripts (ALICLOUD_ACCESS_KEY_ID/SECRET, optional STS token, and service endpoint vars) are proportionate to the described task, but they are sensitive. The registry failing to declare those required env vars is a significant inconsistency. Also some scripts accept arbitrary SUPPORT_ENDPOINT/TICKET_ENDPOINT values (expected for per-product endpoints) — those could point to internal/non-public hosts, so users should review before supplying endpoints/credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated platform privileges. It writes artifacts only under output/ by convention and does not attempt to modify other skills or global agent configuration.
What to consider before installing
This skill appears to do what it claims (gather Alibaba Cloud product and OpenAPI metadata) but take precautions before running it: - Expect to provide ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET (and optional security token/region) even though the registry metadata does not list them; treat these as sensitive secrets. - Use least-privilege credentials (read/list-only) and consider using a short-lived STS token. Do not run with account-owner keys. - Install required Python dependencies (aliyun-python-sdk-core) in an isolated environment (virtualenv or container) before running. - Review/support endpoints (SUPPORT_ENDPOINT, TICKET_ENDPOINT) you supply to ensure they point to the intended services and not to unexpected hosts. - Run with dry-run filters (OPENAPI_META_MAX_PRODUCTS, OPENAPI_META_PRODUCTS) to limit scope initially and inspect outputs under output/. - Consider running the scripts in a sandbox or ephemeral CI job and rotate or revoke keys afterwards. If you need this skill to be safer for broader consumption, ask the author to: declare required env vars in registry metadata, provide an install/dependency spec (pip requirements), and document least-privilege IAM scopes required.

Like a lobster shell, security has layers — review code before you run it.

latestvk971na5cnhkf5bz4mv95r87qz9842rr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Alibaba Cloud Product + API Discovery

Follow this workflow to collect products, resolve API metadata, and build summaries for skill planning.

Workflow

  1. Fetch product lists from the three sources
  • Ticket System (ListProducts)
  • Support & Service (ListProductByGroup)
  • BSS OpenAPI (QueryProductList)

Run the bundled scripts (from this skill folder):

python scripts/products_from_ticket_system.py
python scripts/products_from_support_service.py
python scripts/products_from_bssopenapi.py

Provide required env vars in each script (see references).

  1. Merge product lists
python scripts/merge_product_sources.py

This writes output/product-scan/merged_products.json and .md.

  1. Fetch OpenAPI metadata product list
python scripts/products_from_openapi_meta.py

This writes output/product-scan/openapi-meta/products.json and products_normalized.json.

  1. Fetch OpenAPI API docs per product/version
python scripts/apis_from_openapi_meta.py

By default this can be large. Use filters for dry runs:

  • OPENAPI_META_MAX_PRODUCTS=10
  • OPENAPI_META_PRODUCTS=Ecs,Ons
  • OPENAPI_META_VERSIONS=2014-05-26
  1. Join products with API counts
python scripts/join_products_with_api_meta.py
  1. Summarize products by category/group
python scripts/summarize_openapi_meta_products.py
  1. (Optional) Compare products vs existing skills
python scripts/analyze_products_vs_skills.py

Output discipline

All generated files must go under output/. Do not place temporary files elsewhere.

Validation

mkdir -p output/aliyun-openapi-discovery
for f in skills/platform/openapi/aliyun-openapi-discovery/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-openapi-discovery/validate.txt

Pass criteria: command exits 0 and output/aliyun-openapi-discovery/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-openapi-discovery/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Product source APIs: see references/product-sources.md
  • OpenAPI meta endpoints: see references/openapi-meta.md

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…